23542300x8000000000000000213874Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.928{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=415C27ABF68B5C4ECC3F68794F8DF0E8,SHA256=4B036C9840E5E45C16544E1B9854B924869168DC9DD9524879732EF932D2E9EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160243Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:26.202{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4305C84E2B543E62F2B85981E62B2FF,SHA256=A4829956B322A6DF0D0961C26296705B5FC5E647B6690025A393308D78366CC7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213873Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.850{079FE16A-26A2-6116-1600-00000000E701}13001980C:\Windows\system32\svchost.exe{079FE16A-53D6-6116-DD06-00000000E701}6712C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213872Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.850{079FE16A-26A2-6116-1600-00000000E701}13001344C:\Windows\system32\svchost.exe{079FE16A-53D6-6116-DD06-00000000E701}6712C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213871Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.829{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-53D6-6116-DD06-00000000E701}6712C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213870Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.797{079FE16A-284E-6116-B000-00000000E701}8523620C:\Windows\system32\csrss.exe{079FE16A-53D6-6116-DD06-00000000E701}6712C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000213869Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.782{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-53D6-6116-DD06-00000000E701}6712C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000213868Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.782{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-53D6-6116-DD06-00000000E701}6712C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213867Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.782{079FE16A-26A2-6116-1600-00000000E701}13001980C:\Windows\system32\svchost.exe{079FE16A-26A2-6116-0D00-00000000E701}892C:\Windows\system32\svchost.exe0x1014c0C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\appinfo.dll+cdf0|c:\windows\system32\appinfo.dll+12868|c:\windows\system32\appinfo.dll+12fbf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213866Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.782{079FE16A-26A2-6116-1600-00000000E701}13001980C:\Windows\system32\svchost.exe{079FE16A-26A2-6116-0D00-00000000E701}892C:\Windows\system32\svchost.exe0x1014c0C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\appinfo.dll+cdf0|c:\windows\system32\appinfo.dll+12aa0|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213865Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.713{079FE16A-26A2-6116-1600-00000000E701}13001980C:\Windows\system32\svchost.exe{079FE16A-53D6-6116-DC06-00000000E701}5648C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213864Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.713{079FE16A-26A2-6116-1600-00000000E701}13001344C:\Windows\system32\svchost.exe{079FE16A-53D6-6116-DC06-00000000E701}5648C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213863Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.665{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-53D6-6116-DC06-00000000E701}5648C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213862Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.650{079FE16A-284E-6116-B000-00000000E701}8523620C:\Windows\system32\csrss.exe{079FE16A-53D6-6116-DC06-00000000E701}5648C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000213861Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.650{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-53D6-6116-DC06-00000000E701}5648C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000213860Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.648{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-53D6-6116-DC06-00000000E701}5648C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213859Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.628{079FE16A-2850-6116-B700-00000000E701}41044304C:\Windows\System32\RuntimeBroker.exe{079FE16A-26A2-6116-1600-00000000E701}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61efc|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000213858Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.628{079FE16A-2850-6116-B700-00000000E701}41044304C:\Windows\System32\RuntimeBroker.exe{079FE16A-26A2-6116-1600-00000000E701}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61efc|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000213857Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.581{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-53D6-6116-DB06-00000000E701}7116C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213856Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.549{079FE16A-269F-6116-0500-00000000E701}412428C:\Windows\system32\csrss.exe{079FE16A-53D6-6116-DB06-00000000E701}7116C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000213855Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.549{079FE16A-26A1-6116-0C00-00000000E701}8326344C:\Windows\system32\svchost.exe{079FE16A-53D6-6116-DB06-00000000E701}7116C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213854Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.528{079FE16A-26A2-6116-1600-00000000E701}13001980C:\Windows\system32\svchost.exe{079FE16A-26A2-6116-0D00-00000000E701}892C:\Windows\system32\svchost.exe0x1014c0C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\appinfo.dll+cdf0|c:\windows\system32\appinfo.dll+12868|c:\windows\system32\appinfo.dll+12fbf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213853Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.528{079FE16A-26A2-6116-1600-00000000E701}13001980C:\Windows\system32\svchost.exe{079FE16A-26A2-6116-0D00-00000000E701}892C:\Windows\system32\svchost.exe0x1014c0C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\appinfo.dll+cdf0|c:\windows\system32\appinfo.dll+12aa0|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213852Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:26.528{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-53B9-6116-D306-00000000E701}6636C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000160244Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:27.202{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4ADCEE2719D40485D751C8A04670638,SHA256=AB878D212D54146CEF44E4CF5675D113D9A53046F1841F5755A3340EA4F64EDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213902Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.581{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B8DD536637440AF8BDD122AC34CBAE4,SHA256=33364D528D50E1789532B854656852E988BF594892A48EDF302C328540880AD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213901Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.581{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87D047E16FC05C487AB3EB0CBFDD210F,SHA256=568E3DAB695DBB7CB142941EB21C86A963BFE6044A3028756422AFD51FEF2877,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213900Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.150{079FE16A-2851-6116-BF00-00000000E701}4652760C:\Windows\Explorer.EXE{079FE16A-53D7-6116-DE06-00000000E701}3292C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213899Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.150{079FE16A-2851-6116-BF00-00000000E701}4652760C:\Windows\Explorer.EXE{079FE16A-53D7-6116-DE06-00000000E701}3292C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213898Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.150{079FE16A-2851-6116-BF00-00000000E701}4652760C:\Windows\Explorer.EXE{079FE16A-53D7-6116-DE06-00000000E701}3292C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213897Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.150{079FE16A-2851-6116-BA00-00000000E701}42684516C:\Windows\system32\taskhostw.exe{079FE16A-53D7-6116-DF06-00000000E701}5688C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213896Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.150{079FE16A-2851-6116-BA00-00000000E701}42684516C:\Windows\system32\taskhostw.exe{079FE16A-53D7-6116-DF06-00000000E701}5688C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213895Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.150{079FE16A-2851-6116-BF00-00000000E701}46525456C:\Windows\Explorer.EXE{079FE16A-53D7-6116-DE06-00000000E701}3292C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213894Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.148{079FE16A-2851-6116-BF00-00000000E701}46525456C:\Windows\Explorer.EXE{079FE16A-53D7-6116-DE06-00000000E701}3292C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213893Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.148{079FE16A-2851-6116-BF00-00000000E701}46525456C:\Windows\Explorer.EXE{079FE16A-53D7-6116-DE06-00000000E701}3292C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213892Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.146{079FE16A-2851-6116-BF00-00000000E701}46525456C:\Windows\Explorer.EXE{079FE16A-53D7-6116-DE06-00000000E701}3292C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213891Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.146{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-53D7-6116-DF06-00000000E701}5688C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213890Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.145{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-53D7-6116-DF06-00000000E701}5688C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213889Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.145{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-53D7-6116-DF06-00000000E701}5688C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213888Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.145{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-53D7-6116-DF06-00000000E701}5688C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213887Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.113{079FE16A-26A2-6116-1600-00000000E701}13001980C:\Windows\system32\svchost.exe{079FE16A-53D7-6116-DF06-00000000E701}5688C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213886Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.113{079FE16A-26A2-6116-1600-00000000E701}13001344C:\Windows\system32\svchost.exe{079FE16A-53D7-6116-DF06-00000000E701}5688C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213885Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.113{079FE16A-53D7-6116-DF06-00000000E701}56886664C:\Windows\system32\conhost.exe{079FE16A-53D7-6116-DE06-00000000E701}3292C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213884Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.081{079FE16A-284E-6116-B000-00000000E701}8524440C:\Windows\system32\csrss.exe{079FE16A-53D7-6116-DF06-00000000E701}5688C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000213883Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.050{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213882Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.050{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213881Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.050{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213880Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.050{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213879Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.050{079FE16A-284E-6116-B000-00000000E701}8524440C:\Windows\system32\csrss.exe{079FE16A-53D7-6116-DE06-00000000E701}3292C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000213878Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.050{079FE16A-53D6-6116-DD06-00000000E701}67127064C:\Windows\system32\DllHost.exe{079FE16A-53D7-6116-DE06-00000000E701}3292C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\SHELL32.dll+3ccff|C:\Windows\System32\SHELL32.dll+3cb8c|C:\Windows\System32\SHELL32.dll+dcb2e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000213877Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.060{079FE16A-53D7-6116-DE06-00000000E701}3292C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" C:\Windows\system32\ATTACKRANGE\Administrator{079FE16A-2850-6116-EC13-0A0000000000}0xa13ec2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{079FE16A-53D6-6116-DD06-00000000E701}6712C:\Windows\System32\dllhost.exeC:\Windows\system32\DllHost.exe /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937} 10341000x8000000000000000213876Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.050{079FE16A-26A0-6116-0B00-00000000E701}628668C:\Windows\system32\lsass.exe{079FE16A-53D6-6116-DD06-00000000E701}6712C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213875Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:27.050{079FE16A-26A0-6116-0B00-00000000E701}628668C:\Windows\system32\lsass.exe{079FE16A-53D6-6116-DD06-00000000E701}6712C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000160245Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:28.202{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A80BA05388DE315EDE7F9E7BFC4FB0C4,SHA256=C976370506F189D94CCE7E47E1A8B195D0450D96B5920BEBE228A3F9A1BCDB86,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213904Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:25.269{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64715-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000213903Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:28.012{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0B6F61CD9023DAD8FE0DB849E513172,SHA256=83676B495BC8610977F5D679B193059D34B4E9F7CDF8E31ECCB66AF379725342,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160246Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:29.218{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A577EF8BE4244434C5F05FDD43046F9,SHA256=A063B1CABD18A848D3DA318E65400E216940DCFF1936FBE29BD0FE0F4D503C20,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213912Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:29.864{079FE16A-2851-6116-BF00-00000000E701}4652760C:\Windows\Explorer.EXE{079FE16A-539A-6116-D106-00000000E701}2540C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213911Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:29.864{079FE16A-2851-6116-BF00-00000000E701}4652760C:\Windows\Explorer.EXE{079FE16A-539A-6116-D106-00000000E701}2540C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213910Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:29.864{079FE16A-2851-6116-BF00-00000000E701}4652760C:\Windows\Explorer.EXE{079FE16A-539A-6116-D106-00000000E701}2540C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213909Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:29.864{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-539A-6116-D106-00000000E701}2540C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213908Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:29.864{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-539A-6116-D106-00000000E701}2540C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213907Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:29.864{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-539A-6116-D106-00000000E701}2540C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213906Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:29.864{079FE16A-2851-6116-BF00-00000000E701}46524788C:\Windows\Explorer.EXE{079FE16A-539A-6116-D106-00000000E701}2540C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000213905Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:29.027{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9BABEE7DB5B32C86D301E7ED0370743,SHA256=9CCAAD1AA9032DAC89962599E0909A16E05AD9C0F4C122F77692EBB1AE866EB8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160248Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:27.910{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52070-false10.0.1.12-8000- 23542300x8000000000000000160247Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:30.218{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21B265E79C509E4B64F4565600035E99,SHA256=29B5FC09DBDE8DEB7641C418F0E43E9F2B6954BEF6256CD53F2CD3E9431CD711,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213913Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:30.064{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=769E8BB96B56CCA1772857F0DA41547B,SHA256=A0D7459D32BCE944EDD033485CF945F4948B3B49834A40A6620832206DAD45BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213914Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:31.064{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB6542502986581E07F30D35C02CC87B,SHA256=EF7F0B6BA1170A399EE83778D9EB17A260892A49093B161C43FE1868CDA1BF22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160249Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:31.249{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FC65E902AAB6CFAD03E5AD3ED19CCBD,SHA256=8DE774A9287BD57AECF32A4F04017FC609FB2745DB2B2C1959120AB2E6DD8070,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213916Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:30.348{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64716-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000213915Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:32.126{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9342B971380566E95D1DA00008976F2,SHA256=02A279D800F69A6C466CF656EBD18A316B38FE48BA3656DEB90A3FE8C9048C72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160250Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:32.249{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74899288EE266E2133BA699A38420270,SHA256=06A925B379ED7C122229CA76F24E832C36F696439DEFD5391884CD40A0B39909,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160251Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:33.296{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3986925BF9B8BA36E13C9D5DBB2E97B,SHA256=C59F44EA025E298D104F3676D1DE5E5D3B68DB2AC8A92DF6A0437461542E59F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213917Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:33.145{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31D2C9EE866986E527E1524E5F4BFDCB,SHA256=F9F8AC5AB565E0C7C6C1CA4DA843A3D1FA3AC56FF21CF99038FCA7CB238CD115,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160252Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:34.296{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28FAA9EBA24E310831E43BB551F184A9,SHA256=BFD1EC30C24120B91B4F92D0E4FF43D62E5B01CD047B38FB9B016FCA3C10496C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213918Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:34.164{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85DC113249ED403836F68D8CB933DFC7,SHA256=D93B8F8DB87B089ED27661662CFEBB3422698A3D98578DFB75B7D301E27AA68D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213919Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:35.165{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41C163DB5ED3870A1DE6D5E50CA7B636,SHA256=2A33EA4B30D2E48482CC20DB3EA51A1D84D7779873F86473CCD224DB461CF1AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160255Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:35.296{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0633EEF8AA3FFD094BF198F0AC264006,SHA256=5CCE4446FCE0DEB6BE2E54DA38C2A7079FC7557651F7544D87A3378ADB39F64E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160254Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:35.280{C6197713-26A1-6116-1000-00000000E801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=B857C3AE0ED87E98B8AFECE4CAD69BEF,SHA256=CD8BB487A7FF0D479E70EB69A55899FE2A466B5B167E7A0AFE8B8DF5570FB1CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160253Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:33.788{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52071-false10.0.1.12-8000- 23542300x8000000000000000213921Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:36.843{079FE16A-26A2-6116-1100-00000000E701}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A0A9D8662C48EA64620658B7C6ACD4F5,SHA256=60863D9F5DEC831FC9EF8EC4C925E653BB26F18F9DA948C28B4CBC15E2144173,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213920Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:36.195{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AE99FA008F77DBFBC195ED9872AFA98,SHA256=82FDB64541B9741534D73EF011E64E39C34AEC452E677941E73ED11A959A9BF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160256Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:36.296{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5FB9B9F1357237CB6BA23E40BF7585F,SHA256=94C169D3E67F4CD363423A8B600F5F3CD622A93507332D44086023B7BC1C9AE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160257Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:37.296{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD512ACBE45CE43D63A291E1971FF4F2,SHA256=F30754FC1211EF6D3801D6F9EFE4F69F1B27AD339E56DAEAC10857B8629A7CAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213922Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:37.210{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BC2C14C23BE6D54620F0AEC510F4342,SHA256=F1CE272252FB51C03CD9D5B9676BE13CB4FA49F748D43180FAC9C44964A2B3B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160258Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:38.312{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=687CEF1AE6A5F1046AC44120CFA5BC7D,SHA256=787B9E7056640FC98EE6220D7B201BC2D53F9D4C950BA38601C0A69F1AD1E29A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213925Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:36.267{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64717-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000213924Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:38.611{079FE16A-26AF-6116-2700-00000000E701}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=7437DD3B54D1F17730CF8766724DFA6B,SHA256=69C997B67F7E7A6FCA3EA332C25CA817950327E6931C8B821E0C9BBFA52D78A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213923Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:38.227{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65D8DB937A1F8A99E9F5081C1B8BA839,SHA256=51B60E966D984F49C78D57AC48E09E2FEC1660069FE9995CB1FBAFABC5EA360D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160259Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:39.343{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4CB4CA039CFF7FC6AE6E8C8A1DF0950,SHA256=5C044A6D89800D713C73D02912CECA381C3E169D953AC3ADD290288D8AF755AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213926Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:39.245{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=233A138D04F743538C98B2E9F53F361C,SHA256=0B77D48207694CC9709540101AF8331BAA2ECF4E324107CB0D940E0D8292CA12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160260Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:40.343{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF498E78ADF8828D21A569EB8A633BEF,SHA256=AE20B548807BA6E3EF30F5701C05D5389542E3AD75009712B335326C73F41676,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213928Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:37.718{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64718-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000213927Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:40.279{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07BF7BB260918C613138F46D54534F4B,SHA256=E5E8C1C35031FF7F2B8F3A515DFCEA71461F30F183014D36E91CB40BBF742A37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160262Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:41.343{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F99D69A5B84A85B2C199C69801541F9,SHA256=87D715DD0F69FD7CBD6C48F44152BA91EA461338DCF9D02AAF0773EA6E8A8917,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160261Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:38.863{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52072-false10.0.1.12-8000- 23542300x8000000000000000213929Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:41.310{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEE9C04D86BFBBF51937E136AC61CE82,SHA256=48E6A65F65A914BDF523E05F63E862C10840CBF860BD9F8989D5ED26024CA59B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160263Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:42.405{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECC11B0ABA08631ADA771A141A169E8C,SHA256=6D28281828A119347C0094CBD8B7C3895C5B03359FA88625372F3C0589F53383,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213930Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:42.430{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ED99A04D83A896DC75A395A311726F0,SHA256=C552582B47A626730646A1D1E4D2D4918A0577C98AC9C3E3CA2AF7820349451E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213932Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:41.317{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64719-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000213931Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:43.435{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=853E05D3CF8B1D1B38296DC60C4C5FA2,SHA256=067824A74ABA14A4F124D4385C96DC3FE88A81F0D6F44D2A0001F13CD5B92967,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160264Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:43.421{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF67ECC0D18E16B21763BC401911D8B6,SHA256=E7610A2CFA9AE3B57E9C204EEB1A2E2291411659B162FEBD575BDF397B9450E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213933Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:44.454{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B98BE80B7A57AC471982A87C602E5972,SHA256=76B236619F36C0D9280E5306C556C1AF3D2F1DA9A2E66127CC08D77A03CD7758,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160265Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:44.437{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A53400CEEB800D6A1EEFD4D8062C8EF,SHA256=071313D59394486E51EBCC46B697B9B8BB6569549D245668F94B1D2F7E3DFB73,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160280Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:45.655{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-53E9-6116-D505-00000000E801}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160279Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:45.655{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160278Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:45.655{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160277Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:45.655{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160276Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:45.655{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160275Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:45.655{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160274Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:45.655{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160273Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:45.655{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160272Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:45.655{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160271Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:45.655{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160270Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:45.655{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-53E9-6116-D505-00000000E801}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160269Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:45.655{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-53E9-6116-D505-00000000E801}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160268Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:45.656{C6197713-53E9-6116-D505-00000000E801}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000160267Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:43.911{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52073-false10.0.1.12-8000- 23542300x8000000000000000160266Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:45.437{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22BE1EA8536E9F2F85475B53FF7004A7,SHA256=DE6495FEE1AA2E4AD188BD82CD6ABD99FF9AF5C1F337C1002574F3978D69F7C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213934Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:45.473{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6E79BB65802AD578B462FF1690F7B08,SHA256=55729B4F550BA7F7DD3FCE6C11A11BF2ECF74EC9E3982E55F93AEF6EA59F63C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160309Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.827{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37140990DBE060172338E3DC34B06E06,SHA256=75D62C40F6F051AC62CC06E706C8A5F21D1C535730583E07A0164A2F3D05C1C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160308Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.827{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6DE2FCBC81CC30A76AF941E31EF2E640,SHA256=E02EDE41D87FC0EE549DEF8172616249A577FCB9FD1F05EFF3D024B21D00688D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160307Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.827{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E748C39CE3C3920446D714890F851F94,SHA256=5E464B8E34E357B46A0D8E926C24C8BB0A0A36071FD08EC4B86F09E9F015A8D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160306Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.827{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-53EA-6116-D705-00000000E801}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160305Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.827{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160304Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.827{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160303Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.827{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160302Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.827{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160301Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.827{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160300Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.827{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160299Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.827{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160298Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.827{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160297Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.827{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160296Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.827{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-53EA-6116-D705-00000000E801}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160295Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.827{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-53EA-6116-D705-00000000E801}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160294Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.828{C6197713-53EA-6116-D705-00000000E801}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000213935Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:46.488{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DD70094C5F37197440B14BF5DDC895B,SHA256=D791226F004A72EE26138051C7A3AB51DD6CC1CBD9372FA49B6EB7F443C70926,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160293Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.327{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-53EA-6116-D605-00000000E801}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160292Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.327{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160291Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.327{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160290Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.327{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160289Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.327{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160288Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.327{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160287Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.327{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160286Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.327{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160285Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.327{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160284Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.327{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160283Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.327{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-53EA-6116-D605-00000000E801}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160282Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.327{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-53EA-6116-D605-00000000E801}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160281Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:46.328{C6197713-53EA-6116-D605-00000000E801}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160312Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:47.846{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37140990DBE060172338E3DC34B06E06,SHA256=75D62C40F6F051AC62CC06E706C8A5F21D1C535730583E07A0164A2F3D05C1C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160311Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:47.829{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C887F2332FCFCD2F5F782D6B7D9EFC5,SHA256=B1636DD1C5AF2EA9DDD9DD857DC77EE139F1D3B52782862CBCDE68B14531CD4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213936Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:47.503{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF9FD88F72EF24C67202B06B41328C4B,SHA256=F615F3C67A5F796052F31C0D667DA8B6FE2BB4DBC20FD847B97E488DC619FB83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160310Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:47.032{C6197713-53EA-6116-D705-00000000E801}23523956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000160328Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:48.830{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=359187ADACE03DB069612B1B9C3CB7F5,SHA256=A0DE21DEAB2A44F80E785FABF72B4F06DC8CE17CA5ACF02073C7CB9BDF3E0910,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213938Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:46.325{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64720-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000213937Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:48.518{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26FE47E29F94D3387F61F44A191C7A2F,SHA256=E12D9AFC3BFBAF67279C004E09983FDACC7AB786131EB6D7E3147FE9D7865D45,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160327Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:48.596{C6197713-53EC-6116-D805-00000000E801}23323012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160326Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:48.393{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-53EC-6116-D805-00000000E801}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160325Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:48.393{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160324Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:48.393{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160323Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:48.393{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160322Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:48.393{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160321Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:48.393{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160320Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:48.393{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160319Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:48.393{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160318Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:48.393{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160317Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:48.393{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160316Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:48.393{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-53EC-6116-D805-00000000E801}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160315Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:48.393{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-53EC-6116-D805-00000000E801}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160314Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:48.393{C6197713-53EC-6116-D805-00000000E801}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160313Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:48.221{C6197713-26A2-6116-1D00-00000000E801}1892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=7437DD3B54D1F17730CF8766724DFA6B,SHA256=69C997B67F7E7A6FCA3EA332C25CA817950327E6931C8B821E0C9BBFA52D78A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213945Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:49.855{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=8C706D4280C59E4F1F7C574F3E13B507,SHA256=4566077350CD631473285222ACE6C13E4FAD76191F406D7624FB23AD27B92CED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213944Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:49.855{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=2D48CC0B8F9D602BABBCD9CA61F2A777,SHA256=6439051A9A4CD12B86AEDFBAF01C7180823CEBF84400595DA6EB46358F5EF23D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213943Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:49.855{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=64E6479249A670063015AEDEB7C81003,SHA256=D2DBE43D5DE1D608F067C4AAA57D93DF3CDEE258432E28E58B2EFAA6881FA508,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213942Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:49.854{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=DC89444A41507ADFE55675355F8AAECB,SHA256=996F742E8FC04C5F1F4B4B6B51281B68F19EDB5CDD84741E0EB707173CAF7959,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213941Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:49.852{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=D4F910F950CA48E4FA558F89B96BBADD,SHA256=4FE1B527F298461E76EFECC00499D2F99D6AF9B7E278290F2C45CF620C6AA4F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213940Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:49.851{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=4B77300FAB96FD22CD710640277146B5,SHA256=88D142546DCF873C7A035C311D1388B8A432B1A39A8D5E53501373C8B320E30B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213939Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:49.533{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F485C8B37EFF94A8449B971B63E12C3A,SHA256=09597249AB7EBADEBC81EBC5223B6D664784C0F82A575B077144C937F6DCE402,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160358Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.848{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4437938A949E8224425DB770E83E5BC,SHA256=888E4284EED4269E2328D7D61C5EBEFC2A744017F64A461FA96B018F92C5E4D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160357Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.567{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-53ED-6116-DA05-00000000E801}1304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160356Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.567{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160355Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.567{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160354Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.567{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160353Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.567{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160352Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.567{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160351Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.567{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160350Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.567{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160349Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.567{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160348Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.567{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160347Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.567{C6197713-26A0-6116-0500-00000000E801}412528C:\Windows\system32\csrss.exe{C6197713-53ED-6116-DA05-00000000E801}1304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160346Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.567{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-53ED-6116-DA05-00000000E801}1304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160345Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.568{C6197713-53ED-6116-DA05-00000000E801}1304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000160344Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:47.866{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52074-false10.0.1.12-8089- 23542300x8000000000000000160343Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.395{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD2EB2FFA5E642E2F368046BA676A5F0,SHA256=22F4512BDFC78D9A7D23EF78FC939016044E1F527A1627B0EE95F6E57879A367,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160342Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.333{C6197713-53ED-6116-D905-00000000E801}3124992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160341Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.067{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-53ED-6116-D905-00000000E801}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160340Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.067{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160339Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.067{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160338Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.067{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160337Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.067{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160336Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.067{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160335Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.067{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160334Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.067{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160333Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.067{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160332Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.067{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160331Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.067{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-53ED-6116-D905-00000000E801}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160330Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.067{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-53ED-6116-D905-00000000E801}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160329Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.068{C6197713-53ED-6116-D905-00000000E801}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160376Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:50.848{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6243590A84DC43F28798C752EEAE63D9,SHA256=291581DE4A22B9A5E7C39F4BE038DC319EE3EEA92F195AF8FCEB5C926B7D2A80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213946Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:50.552{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51C342C89990D7312F0EDDC293025643,SHA256=57658F519B524D004780F7C0B482616E19D51A0D33CFD8624D48CE7A8BA43ECE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160375Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:50.582{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=312172FE7EBE7A40969E35C2CB839009,SHA256=5B02AD3652EDD1B621D84F145DBBA966E7A7FCF0C0BBA7C2903BEB898C19209F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160374Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:48.915{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52075-false10.0.1.12-8000- 10341000x8000000000000000160373Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:50.082{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-53EE-6116-DB05-00000000E801}600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160372Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:50.082{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160371Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:50.082{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160370Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:50.082{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160369Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:50.082{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160368Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:50.082{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160367Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:50.082{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160366Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:50.082{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160365Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:50.082{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160364Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:50.082{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160363Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:50.082{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-53EE-6116-DB05-00000000E801}600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160362Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:50.082{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-53EE-6116-DB05-00000000E801}600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160361Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:50.084{C6197713-53EE-6116-DB05-00000000E801}600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160360Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:50.082{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=464FFF0A1224CA015ED8DBC1A0D84800,SHA256=21253FEE06A2DC73DB1462E1FC1B5591532D19636D3C0ED5C333D7C7328DC502,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160359Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:49.989{C6197713-53ED-6116-DA05-00000000E801}13042196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000160377Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:51.848{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=493B28ED04350123D04AF8C9830CF69F,SHA256=BDC3632F51F619CCAE71144B3F603AD4A68CEF7CCC25F6719A53B54F1C6A9861,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213947Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:51.569{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B56B08C4D016FE7AD390CED122F51D59,SHA256=D8FB722271D5BD40212E9248917958BCDE49A0C79E8A8DFA5525BCCA0CF2094E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160378Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:52.848{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B27BE2A113F5BB57FC69E793550C451D,SHA256=792215E510F75CF9F1384987A4C30C34851A6D76EAC396168903AE67E9ACD5A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213948Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:52.599{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=107D481838D857A927378310EDD8463F,SHA256=7498CC07240FD07A142EC4476AA6F91D82E4BCE0E05BDF0173CA43628A9A86D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213949Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:53.613{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95261E6B976DBB5A7DC93A7A7D197C5E,SHA256=625D7D1EC4607C159F73F89FFA7CB3FBECA69CA4255A24963B614040EABBC6A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160379Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:53.848{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FFF70A5B3B2385496D789211BF5459A,SHA256=60048A766E4ED26E0661E9FD49693CB3C0D3B3B9EA1DDFF434D7DF578B92234B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213951Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:52.367{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64721-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000213950Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:54.629{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37C6547E9EF3D7A1035CF6C6368FBEA4,SHA256=0C4B7320B644876879BA9243D404E982AAC2D4E814F43526DF276FC8BCD45C4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160380Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:54.848{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF8FCA0299121B32AFD9B7CD5F73CE95,SHA256=E3B51F00E57DB9E7E5226E59C5E9A1D8D5C6F021C9B839C8B3F5881C722D1051,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160381Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:55.848{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BBD2491D122214C1D94663BD3B7F763,SHA256=63C46CACC925E5FF07B0E5D8FA07E5809583F28CA0E8C532C52ECA75E9896F97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213958Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:55.683{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=312AAE2FB32062C7C17AE31921690826,SHA256=536B0149B98C107C619F8F6AFAE1EA76CD6E4773F6656CCF275AFEB40EE0CD10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213957Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:55.452{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=697B0F8B8AC2BA6605B7317210658193,SHA256=14F11D3A5B8047161DAAA6B644C1760C442F03EAA8481C0ECC111613D531D86E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213956Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:55.452{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=1F30967A25C13C4D8E82F9A8F1D5C063,SHA256=30AD2875CFD9231F4F61E6D8F61784BF3581C235758424E777EE49B8DDD80B66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213955Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:55.452{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=B2EA2B0AA6AFE4FF263DF8593852D732,SHA256=A5B98183717A53DCCF33DAB950B87E09C18CFC5E99044443B4D80C06D2EC1F06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213954Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:55.452{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=35301AC43B978F17475DAAE8B4BD7FF4,SHA256=355795F5CD084B4B72D1B497A3BC3E4316DD1CB2E8C866AEB13FF2C65C47EA74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213953Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:55.450{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=734729C4A4A8F39DDAF0D8FE206F399A,SHA256=10759DA80E6F012E8109F9E94982ABE5ACEF352024FFAA89B5EF843D851449EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213952Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:55.448{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=68C52CCE8B562A0F3A927C0C0D9DF0CE,SHA256=08D6FEC469691509A3CC4351838FD6B5D5F3368E1524DE0EDABFC70BD578A65E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160382Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:56.848{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=145F52890BC3FCBAC615C7E703AC3A16,SHA256=894E35843D95926EB54FE7A992558222AD7703F0A81D100952397167BA1FD47E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213959Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:56.713{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ABA025C42799D8237B2F8E912694321,SHA256=BF206C7256986C1EA5FE26121DB8D51C80277C684B3D0E2739C72C11B7AC8153,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160384Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:57.848{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA53E30FBC8FF01BEE1F85BDAEA4B0B7,SHA256=629C96E1664F7833380E7DCF245C4926961CEEE485140225202703BCAF0A42DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213960Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:57.727{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FFDD790891FA910CF533CBDF23D6065,SHA256=634319F09878080A275556C016E1A320C2AE4A347AC9E05EA1D4B17B53D1A4DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160383Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:54.884{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52076-false10.0.1.12-8000- 23542300x8000000000000000160385Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:58.848{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98118E67FE06F03652554360B8EDFA5D,SHA256=E1DCCF5D8A5E1CD06893E7FF945E24E38F1B4850B4ED5496BFF401E31E0DE92E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213961Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:58.745{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E406707A5B55872C5EAB0FEB36E1462,SHA256=5F65CC38D1D4B4ABC32823CF7076556B0764F342C73674B38882105DB695149C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160386Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:13:59.848{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA3E1BEF2BD68BBBEBF72858829E92B5,SHA256=B8C1D51EA93D29C017EE0588BB61B9AE1137E59967E474FBE84F138BE6DAE446,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213970Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:59.826{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D602CCCB3A3F1D93BB7F8EA5F9067D8E,SHA256=47F9F9706424731FBE4E2BF13F22EC07E6DCC8653CE9E27ACB478F892BAB9E40,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213969Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:59.710{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-53F7-6116-E006-00000000E701}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213968Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:59.710{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213967Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:59.710{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213966Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:59.710{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213965Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:59.710{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213964Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:59.710{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-53F7-6116-E006-00000000E701}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000213963Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:59.710{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-53F7-6116-E006-00000000E701}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000213962Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:59.711{079FE16A-53F7-6116-E006-00000000E701}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000213994Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.894{079FE16A-53F8-6116-E106-00000000E701}57047120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000213993Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.847{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D086D0CB2712D59E18C524C1129ABB2A,SHA256=28F86CEA050C9D8C0B1A8D0EA794BF48CC20F4C13877FBE37918C52F5A56D3AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160387Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:00.848{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1B77D1B074DFF5863B769315C874F89,SHA256=C5526F09A3C7885154279F2132926B037C27AB1BAF6DAA8169946EF2B6D055EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213992Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.716{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8BD004EDB018625D8091855E75FD798,SHA256=CF7A97DBB943AF46CA3D8E64CEF7D9A1EC0070CFDF9B71C8D32EE4FB5F81C04C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213991Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.715{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B8DD536637440AF8BDD122AC34CBAE4,SHA256=33364D528D50E1789532B854656852E988BF594892A48EDF302C328540880AD4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213990Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.563{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-53F8-6116-E106-00000000E701}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213989Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.563{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213988Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.563{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213987Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.563{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213986Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.563{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213985Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.563{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-53F8-6116-E106-00000000E701}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000213984Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.563{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-53F8-6116-E106-00000000E701}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000213983Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.565{079FE16A-53F8-6116-E106-00000000E701}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000213982Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.479{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=2D09B6F9EDEFC69A233391E2628A680D,SHA256=7BB2B6314799F909A3D6EFE9CBE59C2ED8B29DC1202CA9149B03E032E288916F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213981Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.479{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=AE7C0F65D3CEED0E1410D63778B5DED7,SHA256=654C8809846E88214A2D7275C122DA061457BD9C5C8F78262EB5C1A9E7B44FD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213980Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.479{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=2D0A83580422635CEC7C6D7C2DBD82F6,SHA256=154BD1FC44C8FCF9A0215206827D84E31F17886390AF02C07C37A2BD6468E007,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213979Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.479{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=CC34E591623319FF8AC832C9184F3C43,SHA256=82B122F25673DAC4F01C43CD4796562F99F6DBE9494A5DB831040BA47D5B4C82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213978Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.479{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=7E0E2B40BA90E4E8BEEE42FEF678321A,SHA256=785279F4DE2A47DA6495964554056B41380B1BBCD602769363DB0D1AC7CB6214,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213977Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.479{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=D655D2845120DF80ACC06B8841AFE0A3,SHA256=21931DBA62BCFF47ECF453D9B833C2FB25EF1BC00D645AC8A36A8BCD8B171A02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213976Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.463{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=802CEF181B45F65EF49C0A4C04368D60,SHA256=901C723C381A0A40D000454C06A182397B106BBA10273716F195486021AA14A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213975Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.463{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=6F6491A601A1A664861361A6FFF7D187,SHA256=002196242A59970DCBE475A4F60DB68DCB294DB298412A74AAD2E84DFBFE0864,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213974Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.463{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=C67B28D3C3C20FF2D97715B4885C17C8,SHA256=6ACC64E6DF471D6736C00D0B6D6E71E026850F6B68F664609671D3D2A030F4AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213973Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.463{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=33144AC011368A829D393503FD89C748,SHA256=A6FB8E4B3B2FB648E66A089021125A47CD50D63DC6EE25471F973BE22D011F2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213972Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.463{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=B6B164F3D4A4FE34B5C93F0202AFD4ED,SHA256=51B5339376DEDC0489144D142BF836A5AF8B1861150F2A64B58A4E2AE7FC2143,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213971Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:00.463{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=D16251F3A0AA400F69DD51DFF20CFC7C,SHA256=1F209995E8AE90213AAD823E8CAD33216E7A4AFE0975097F66AF2DCE9B4E2404,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160388Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:01.848{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4288DDC61070416A9B29917399537432,SHA256=671F22D5A290D4C9F1466B604E12B18A9E3FDB2A954DAD620D6B16E9F6ED35E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214004Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:01.862{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E406E970BD07572E88BD7D32DB707274,SHA256=F97E7DE60FF0092ED9984436960B4F84F2E719F0AF82D215C7D386E3BA4619A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214003Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:01.194{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-53F9-6116-E206-00000000E701}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214002Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:01.194{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214001Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:01.194{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214000Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:01.194{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213999Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:01.194{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213998Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:01.194{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-53F9-6116-E206-00000000E701}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000213997Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:01.194{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-53F9-6116-E206-00000000E701}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000213996Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:01.196{079FE16A-53F9-6116-E206-00000000E701}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000213995Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:13:58.133{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64722-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000160390Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:00.853{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52077-false10.0.1.12-8000- 23542300x8000000000000000160389Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:02.848{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F525B9841B07C0A90D237DA692F3A06,SHA256=735585752E99AB292B6CA0266812FF054FA24DB328B09E1FAFB5F36F3265F2C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214006Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:02.877{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=027C65C65C032C9AB587E0A966EFC168,SHA256=DE56783605920CC4619C76CC577E1C3A8F6616AAEE43B22254908369AFCB8953,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214005Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:02.362{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8BD004EDB018625D8091855E75FD798,SHA256=CF7A97DBB943AF46CA3D8E64CEF7D9A1EC0070CFDF9B71C8D32EE4FB5F81C04C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160391Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:03.848{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2EBD34F59BBD0095A5EC66D79E99895,SHA256=6FF6A8C7E1FDD51186859BEF147F4D6E246BDCB89B2377ACC1426B21973ACEBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214015Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:03.915{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76E56F04556524B76C031D8CF6FD019A,SHA256=FBB280F019511D99566FD547A142F621E5CC67911A477944147999CE6A4C54C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214014Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:03.777{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-53FB-6116-E306-00000000E701}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214013Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:03.777{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214012Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:03.777{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214011Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:03.777{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-53FB-6116-E306-00000000E701}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214010Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:03.777{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214009Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:03.777{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214008Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:03.777{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-53FB-6116-E306-00000000E701}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214007Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:03.778{079FE16A-53FB-6116-E306-00000000E701}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000214028Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:04.928{079FE16A-53FC-6116-E406-00000000E701}41326340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000214027Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:04.928{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B381EF1B53F9C708D9564A2FB051179,SHA256=7BDFAA4F5142E20783C0DE060EEE1AF1AE8EACFD1F26A9D5344D586FF08D1A0E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160394Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:02.852{C6197713-26A1-6116-0F00-00000000E801}920C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse34.222.193.200ec2-34-222-193-200.us-west-2.compute.amazonaws.com50132-false10.0.1.15win-host-867.attackrange.local3389ms-wbt-server 354300x8000000000000000160393Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:02.502{C6197713-26A1-6116-0F00-00000000E801}920C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse95.9.49.23995.9.49.239.static.ttnet.com.tr54306-false10.0.1.15win-host-867.attackrange.local3389ms-wbt-server 23542300x8000000000000000160392Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:04.864{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBE89B56C2CDE7282B3E6F368D7A2EBB,SHA256=879B79E39B49658E7B346FD09BA2F9754674BA075150F204BB14F2AA7BDE3A19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214026Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:04.693{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF8C56630A2066793FCC74DE2FC0B80B,SHA256=74B0FCDDDB6C5EB6AC2B5CD765D39A2DF68A7EF4C965B2EB2999D533D7066E34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214025Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:04.643{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-53FC-6116-E406-00000000E701}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214024Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:04.643{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214023Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:04.643{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214022Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:04.643{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214021Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:04.643{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214020Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:04.643{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-53FC-6116-E406-00000000E701}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214019Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:04.643{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-53FC-6116-E406-00000000E701}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214018Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:04.645{079FE16A-53FC-6116-E406-00000000E701}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000214017Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:01.932{079FE16A-26A2-6116-0F00-00000000E701}292C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse95.9.49.23995.9.49.239.static.ttnet.com.tr54301-false10.0.1.14win-dc-414.attackrange.local3389ms-wbt-server 10341000x8000000000000000214016Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:04.117{079FE16A-53FB-6116-E306-00000000E701}26726192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000214050Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:05.975{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63EA1D294A4F21E9C3C0C530F07EB384,SHA256=0634A33A6C5D0C227FCE3AAF35C639A13F6BDAAD1FAF3EC8686439055E08023C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160397Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:05.864{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=179AC6B2F513F4014A73AD85E078EC6B,SHA256=DDA44E59B59BA4D51EA2FB787F46884ED2390E280DAE291AC1D0887F6285E218,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160396Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:05.864{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=910308649549C0748ED32ADA1442D0CF,SHA256=14EAB319A4DABC4C29694B68B5EA33778900E7608AF5298D6CE3BBA26B6E0086,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160395Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:05.864{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=638EE150635B86040FE5FD35C2BF5EE6,SHA256=556ECE0B6D43FEC0111B76465C5CBE1C1DF05FFA8657ECE380DE1E5519624079,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214049Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:05.890{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01290245E9F73804769DD97D7B0ED15A,SHA256=C2DFDA52C715C82954D220766DB27F2FE6861B07BB9F7AED31E89E6E0ED5026B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214048Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:05.790{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-53FD-6116-E606-00000000E701}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214047Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:05.790{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214046Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:05.790{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214045Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:05.790{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214044Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:05.790{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214043Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:05.790{079FE16A-269F-6116-0500-00000000E701}412428C:\Windows\system32\csrss.exe{079FE16A-53FD-6116-E606-00000000E701}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214042Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:05.790{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-53FD-6116-E606-00000000E701}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214041Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:05.792{079FE16A-53FD-6116-E606-00000000E701}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000214040Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:05.575{079FE16A-53FD-6116-E506-00000000E701}55883440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214039Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:05.291{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-53FD-6116-E506-00000000E701}5588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214038Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:05.291{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214037Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:05.291{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214036Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:05.291{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214035Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:05.291{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-53FD-6116-E506-00000000E701}5588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214034Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:05.291{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214033Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:05.291{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-53FD-6116-E506-00000000E701}5588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214032Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:05.292{079FE16A-53FD-6116-E506-00000000E701}5588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000214031Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:02.769{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local64723-true0:0:0:0:0:0:0:1win-dc-414.attackrange.local389ldap 354300x8000000000000000214030Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:02.769{079FE16A-26AF-6116-2900-00000000E701}2980C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local64723-true0:0:0:0:0:0:0:1win-dc-414.attackrange.local389ldap 354300x8000000000000000214029Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:02.328{079FE16A-26A2-6116-0F00-00000000E701}292C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse34.222.193.200ec2-34-222-193-200.us-west-2.compute.amazonaws.com50130-false10.0.1.14win-dc-414.attackrange.local3389ms-wbt-server 23542300x8000000000000000214053Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:06.991{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDFE7CEE7C3AE72B1591FC3FDFAA3CE0,SHA256=7CC5B420094E64958A9B5B407E1092A3AA34E8FE6E57C4AAB1951E85EFE814B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160398Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:06.864{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D045019031CEB658D7AE99568E1C933E,SHA256=497CFC5D3D4A23724FF62CFA290D6994A53C40F197898F4230B866642C999552,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214052Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:04.013{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local62663- 354300x8000000000000000214051Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:03.184{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64724-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160400Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:07.864{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5F2587D4EDF570BBBE138DFB5D23ACA,SHA256=DCF7F8C4EAAEEBE100383DF7747CF3E8364ED3ECEAC4C0F15078D98767A10C2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160399Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:07.239{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=179AC6B2F513F4014A73AD85E078EC6B,SHA256=DDA44E59B59BA4D51EA2FB787F46884ED2390E280DAE291AC1D0887F6285E218,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160402Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:06.791{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52078-false10.0.1.12-8000- 23542300x8000000000000000160401Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:08.864{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38157502A3C62DA1E7B9190DDCD303ED,SHA256=CAA1C9A1AFFAB48E7CE81912842F852DF8512EF2EB957D39CCA89BE05E589538,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214057Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:08.090{079FE16A-2851-6116-BF00-00000000E701}46524744C:\Windows\Explorer.EXE{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8036AEE78A8)|UNKNOWN(FFFFD4A36A2A5B68)|UNKNOWN(FFFFD4A36A2A5CE7)|UNKNOWN(FFFFD4A36A2A0371)|UNKNOWN(FFFFD4A36A2A1D3A)|UNKNOWN(FFFFD4A36A29FFF6)|UNKNOWN(FFFFF8036ABFF103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000214056Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:08.090{079FE16A-2851-6116-BF00-00000000E701}46524744C:\Windows\Explorer.EXE{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8036AEE78A8)|UNKNOWN(FFFFD4A36A2A5B68)|UNKNOWN(FFFFD4A36A2A5CE7)|UNKNOWN(FFFFD4A36A2A0371)|UNKNOWN(FFFFD4A36A2A1D3A)|UNKNOWN(FFFFD4A36A29FFF6)|UNKNOWN(FFFFF8036ABFF103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000214055Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:08.090{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFb14e51.TMPMD5=EDE14DC2DA8B62397B99A720E8551D81,SHA256=8959FFAFDBAF3F9DAF8768C11BE6F82CFC93AA32A873EE989535285EE9E5A694,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214054Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:08.024{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B796000C04C0521A286C030EE5AADB0,SHA256=1C7015BC4EF194C745D05234913FEDB59FE860F8F98B055DF3E3CCF22C11992F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160403Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:09.864{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA9F2FA9689B619EC053E26692074A36,SHA256=44B5510259746AED3F2D9DFFB11CD6F121612E8F49530EF438301FC272204121,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214058Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:09.207{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CA0F337F0B9006BE1DF2324C6E47352,SHA256=C7D6129A62D4E8314FA78E51D76242C70E154D8EDF5C464AB3892D42C06DE4DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160404Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:10.864{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22874727BE7AF05E22EE7D7FB70677EB,SHA256=6E7FD18E2A2CB73974A93B8E380E1CA6CF1A8A2A7B4894A34598793A62D35150,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214059Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:10.325{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EB1AB28DBCFA7EA5071BD6CF3574660,SHA256=8AE15A645CD6790C1A25A27381A5F34DC4B688B5E236DB1854C465025871671F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160405Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:11.879{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCE90F84C08A315A706E3B9D2376E800,SHA256=F094168F33D347C4D4999E3223CA14799328BF4AE40C40AB10EC9591CF4208CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214061Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:11.343{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2C7D78D66F94C5B527AEFD43307988D,SHA256=F902C6EBF36BE4266FB02F7F886875F8AB4C32137453DE63D503724EE171DD44,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214060Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:08.199{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64725-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160406Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:12.879{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B4971DB95A09FA3DB4D4118CBB0B76F,SHA256=5227BE1087D0B68E1FB8D4576B821B7FC0502F3FAED463C2A68F6FBD362F4B6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214062Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:12.344{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90C8155F7FEDD7B828347DC3CA2E7959,SHA256=DD801A5D5CD72A778C5D257F3EA261B81BC8FF5F6CE78143BAA2969B33899F3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160407Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:13.879{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D6998BB49D8A93C85B8A44B40AAB852,SHA256=B64318D3B135DE7AAB41DE85BE118BD65B0597ECB22C0F9B16A1C5A29030BBE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214063Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:13.374{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A5481D4827419D0D606DFF265152ABD,SHA256=12DB23BD567221A2D852098213A5BABF2B641ED438F848A97D2D2D26EDA46E6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160408Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:14.879{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AFA689DB17DA18391FD8541AB82E420,SHA256=B88DCA22FEFB8EEB3F6A0995E3A43BD3F54419C4D8A1E3F72FF122DB102083A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214064Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:14.389{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8C14049512BE7CA12DA5821E30C5984,SHA256=2675E63E74A8E9575050EBDC97062AD9BDAEDD372FC74FF96351055BF8B5A4C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160409Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:15.879{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDAF68DA247E5F3C9CDDFE694F62BFDE,SHA256=5A43E1302265331EE8B8450E41DF45D0F232F56068FF0A406323007ECB558CCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214066Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:15.404{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7421CF21EA3D8ADBEA00B8C051B13DBC,SHA256=852DAE153A5548A617DE61D4E9D9F53FD6170BA1AFBCE427345B78EB8198F573,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214065Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:13.243{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64726-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160411Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:16.926{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04B943ECFEA5B4314AAABA6F8156ED1D,SHA256=FE35CB03D52912F7EE9022D8A59147CE0C3B273694470E839CAB8E961DA12B61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214067Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:16.423{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1D54F6FF4B1236655EB9DACCF6DB345,SHA256=1E174217022DA5119F1F62F12F4C1DA06814E7E923B7697A492C5C94DA4CF022,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160410Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:12.759{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52079-false10.0.1.12-8000- 23542300x8000000000000000160412Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:17.926{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C8EC77C868F45E4A819221B3092ABE2,SHA256=F3A2495008998E7F5DB56A388682342B3B91D00998E9878182D2FDF2AC2A5E42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214068Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:17.441{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54B6168A9CB80DD4825CB04C9D679905,SHA256=6D4C538DE09E29F55078B9AAE97A75B83879581E7E5AE95E73756F7DEBDE3F17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160413Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:18.942{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D42976A9B89668DD5DDAEB71166CC064,SHA256=5AB49BD4C101847BE609B7991EFA4E2B4F4637DEDFB46B771E5247ABE095229C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214069Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:18.457{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD676997FC7D5D82BCE3F70A8A7E53DA,SHA256=CC6BCFACCDA131C5C4D25D8CABE928B70D2B30B439C68605DCF6705B9C7C9959,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214070Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:19.472{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=899276083C911F77EC6C7537558E87A6,SHA256=ABB63EDE7B3D217BCEB3DCEE3F4C6720FEAC057F544D81206101504BC0903F0E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214072Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:18.264{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64727-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214071Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:20.486{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D20AF7B84BABC7D05258E34BAF0EF59F,SHA256=4CEF658D86FC2A52F196C15BCD82A768FBC2DF928378D149BAB7E1EDD9C86F92,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160415Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:17.791{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52080-false10.0.1.12-8000- 23542300x8000000000000000160414Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:20.004{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27B527593AE5FF4876587E6634648A5D,SHA256=AE971CAEE07EB28C40C862FA66CE117085E7569E6952B2BAE775D3274B3D42D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214073Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:21.487{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2884862E047BD3674D283A6AA18AAAEA,SHA256=CC5259FF5BA241543F048D4F9B1DFB579ED3648541B3CAF6EDDD030EBE0B9CCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160416Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:21.035{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D6DA62FB19E9E1A585482F4E9180149,SHA256=EDADE5607C6FF2A6E36B570E18A9DF64EB692D08FA4A6ACAED9D4D2E4513CAB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214074Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:22.488{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E66BDC62DFFE9F88BA731BDEC4885291,SHA256=6FE25AD08C3FC8700ADBE5CAD709619A62857A36D60BFB47093FF8A932226BB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160417Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:22.036{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FEC62EBC55706AB103C4C62BF3E1904,SHA256=0113BC4F7031EE0265FE89C6F690360FC1640C38C7FD90173F7A7BA29042AA44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214075Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:23.503{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D086FDC2DC073A37504FC362D035F713,SHA256=B87BFC21E8FE3864CFC19D6FEB0EB8A5953A49D398A82990B49DDE7FF79D2CB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160418Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:23.082{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC6A29F903DD1DBA20F8850B5577E675,SHA256=FFEA4077C9C08884DA65FC25BA18DDF02B3EBBF3454B99762DDBA17852AEA133,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214076Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:24.520{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=402DCC38F73573D54F392488D68B3E05,SHA256=B6A54878684CD76B2E0F8F8148DD2233E0A9574DD8EE876E8D260EFD4533090C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160419Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:24.129{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=935004980812BFCE4D14F0F622064FB7,SHA256=8C54BD17483379ECB94A2D782EFBE6401D401FA9C7DDD3F9486EB0285AB37476,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214077Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:25.539{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A62BDD7CFF0C6D665202D09EDF97911,SHA256=00C40F9E4938A90A94DBE09E705D55A103F628E861A5DEE56EFAC39292CF72EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160420Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:25.145{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EC02E068422CFC2B1D472F523EFF52C,SHA256=E7B38E8E361E8B05981EA4C1BB925415FEFE867A4C54210EF5EAD844A5A576E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214079Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:26.569{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E7A2643548FA5E6F0F2389D2E628CA4,SHA256=C6DB1B6007480FC3A3382B80A0BB7BC995236C61CCC87B2F5E74038CC9F66DB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160422Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:26.160{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDEEA89B3D01CB231F8C88A41CADCACC,SHA256=F89AD752906D300FB87F569B0F8D6E2B1F2FD6DD5ECE40C7B24EC8FE5802BAFF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160421Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:23.791{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52081-false10.0.1.12-8000- 354300x8000000000000000214078Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:24.224{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64728-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214080Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:27.599{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18FCEB3FE6D0F8ECE2CB1D4B99B485A5,SHA256=91069C1F18E9D9B99333243F490DA6CD550EF6A86275262FE002F7DC64A7FC93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160423Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:27.223{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=811638FBEB1A936F4907FF7B63DA2A08,SHA256=43C2D832369EE8C4152A7C4BA857FF3898DA3E1023621ACEE7D8C0698C0D6882,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160424Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:28.238{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=967230D0CF1A110BD71CFE58FE74AF81,SHA256=8F36C085864246255F2B4A058A8D366606B2A536D32E5A8CE61493A95C0FE8A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214121Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214120Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214119Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214118Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214117Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214116Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214115Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214114Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214113Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214112Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214111Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214110Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214109Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214108Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214107Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214106Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214105Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214104Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214103Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214102Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214101Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214100Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214099Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214098Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214097Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214096Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214095Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214094Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214093Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214092Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214091Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214090Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214089Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214088Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214087Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214086Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214085Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2600-00000000E701}2928C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214084Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2600-00000000E701}2928C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214083Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C100-00000000E701}4956C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214082Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C100-00000000E701}4956C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214081Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.284{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C100-00000000E701}4956C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000160425Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:29.238{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=128F70F9102EB621E96A5C284343E57D,SHA256=104CDFE473E3AC719A05E0765FFE965F13ED19FF4FC8239F13921701B1BC2C50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214122Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:28.999{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C134F76876F2461B53E76900E02FA5CA,SHA256=56FDD2DA2B92EF18731E90DD4710C9DA34EE1D846F391F7008F4FE3F841AB0A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160426Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:30.270{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA23EA711B9E9F2B41EDE0755AA903FB,SHA256=39C070AFA4810367B49A3CDE1821D27306C261C3F808412C3F112CCAF6B28548,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214123Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:29.999{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFA7C16E0EA0B086773D832104221D11,SHA256=068F2CD3ABF3A4667F63BEB240032D56AB2AC57B714073730371FABF0BF6E15A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160428Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:31.363{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=181CDACA65CE497CEAC0DFAD85870169,SHA256=8C6AF09A84E9DE8396BA6D79D7B152298C000CFCD82EA93AB95124C3F1786101,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214124Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:31.016{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07293859314DBD97D4078CC908189A73,SHA256=524B70381B02C6549ED4970C78202C68F0E1AC3C549BB1A6C6392003A484F2C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160427Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:28.807{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52082-false10.0.1.12-8000- 23542300x8000000000000000160429Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:32.379{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F841EF501CF2B4790FED9DAEDB4FEAAB,SHA256=2C387A785EE4C7380329D0DB808B23A59FE9DDE0FF7735924CF55222B7FB9376,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214126Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:30.205{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64729-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214125Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:32.034{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0E732353A1D14FCC20C4AA5D48AC38B,SHA256=8B68BC5C4C49B9FF1269647DB552649C6737D4F4C6E1FC9F522EDD38ABA46A7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160430Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:33.379{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02ED10304D27686841E45F0E0E72C35E,SHA256=0C816B23B2E54B845AEBA061A7D49A0BF117F1F0121634008FF560CA38382318,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214127Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:33.065{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B315B8519D6BD51BDC7052928DF236C,SHA256=65AFECAB5CCB62700279EBB0FD17883E9E65A851AA20CC13FF8EA3760BA90ADA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160431Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:34.395{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D0FAB1B02B4055F68B0D6516570D609,SHA256=E3454E116264BB3CDC9922A154F403DE515C061A53A2D895DCD004B2426FA186,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214128Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:34.080{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03F1468597CBACBCEF6572C627CCD02E,SHA256=8EED6F1606C3BDEAEAE13A5A7995BD7112F454FFB1BF7239F030B9C8E2FB3E59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160433Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:35.395{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C81AB3DF7F77930D34FC2AB178C06674,SHA256=2B8DCA91293D156EA87E7AE74B55389A580DCD945CA82B9E6185A877CA8DC8D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214135Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:35.594{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=559D04577F94E84100BC05143EF551C1,SHA256=539215F6953D1129939C74266218D94B9E3F49A7E7EDDE7BAFFFB06555CF4B96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214134Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:35.594{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=B5C59797EE91D9BACA2A79622F6F96E8,SHA256=769D1D203D1F11BE901C2E23177E85E472DA12656D8123DED2D95569EF492DE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214133Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:35.594{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=9CB292F06C524826BA0DB2C28C66A428,SHA256=4BA9BDF70D6A8BD6BDF09C2D60785B1FEDBA4B42745DE604720A91573642B94C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214132Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:35.594{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=5703502BAEF7E17CA8B38556582F73EA,SHA256=BA55ED4D461B02ACC090D2C6310B720C832BAD78731CD44E96AB85276699AD20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214131Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:35.594{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=97380B0D58303449968EACA32F22470F,SHA256=385ACF8D75B9588081CA3EACB84843B34F225473468EF088017123B7B97A9664,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214130Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:35.594{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=9B0C2DC2A4D9D305A88407E1917A5E86,SHA256=5A8DD709B3028F12CCFAE9BF861B1A02F06C29699EB6966A3E85339DA348109A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214129Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:35.094{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2752315EE55D4AE1B4B85F2BD65D6AEE,SHA256=9A9F070CF8E7E421C3DF028B9958C0D8E04B8E6660648CD833CD192237C6C8E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160432Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:35.285{C6197713-26A1-6116-1000-00000000E801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=3FED0538A81EEFF17B316DC5E86D0AC7,SHA256=D8F749FEE7719072A3955A144DC0CA7FBC1D407A191AFC8FA4E2C41F6C285D7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160435Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:36.395{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=773F0748943B79663A9060B2069C74D0,SHA256=ABF75D815DFEF2C7212F146F2AE2A86BAD985A38B2DD59145012C319843159B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160434Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:33.823{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52083-false10.0.1.12-8000- 23542300x8000000000000000214137Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:36.846{079FE16A-26A2-6116-1100-00000000E701}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=44DF3CDBF2A8C35B7F0EF76643BA2036,SHA256=3998D304C1D55E9183ECE35F813207919CBA85F6162B0BDE863B39276C194A0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214136Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:36.131{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26FEB05DA48021EF4EB926BFC172B5E5,SHA256=973B28A204F7BD02FCBFA6E6D1A3424095E80F10FF149F91C6535DA5FEB4D066,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214138Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:37.177{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64922719F254CAF89EFE27DE2D9A7A9A,SHA256=C010508D8D12548C84694D01068F0B631747ED27E177863DE7BB9B8A99F71F3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160436Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:37.395{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=018663DBF3B4F76975E31FED7A6632D5,SHA256=EB3DF34D82903E09E34A16DF21F2239E705B5CC35168594E8F078A56860B1B4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214141Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:36.200{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64730-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214140Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:38.645{079FE16A-26AF-6116-2700-00000000E701}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=7437DD3B54D1F17730CF8766724DFA6B,SHA256=69C997B67F7E7A6FCA3EA332C25CA817950327E6931C8B821E0C9BBFA52D78A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214139Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:38.178{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26385615025BC1F961ED6FCB92A6AA22,SHA256=7C248D32AB80D3BD1D959169F207EEADDBE12DAF16D1B44B8DD1D7E249C75A1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160437Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:38.395{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBE9CDB8791D171A2EE4729DE131BAFA,SHA256=7DF5CF9CE850E51FAC905DED168870F51E39785FA411FFF22791289E586F776B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160438Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:39.426{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFDBA0440DD8BC0D6FF37C5E07E6C1C2,SHA256=9EB7639F6A2F3A1E4B4A575278B7F82F558DC184623B7A0BD94947A64A37062C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214143Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:37.752{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64731-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000214142Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:39.232{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7BE1DCB7D011AF12DD88C4CA92F6F0D,SHA256=62DE3FBFF4D57F748C66148440F32B540406DCC10EF49DC41A793F695AF0B992,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160440Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:40.520{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F174B7426FE2ABFBAB0AA1C5073104AA,SHA256=BEAEB3CD662EB086EA36E973A50100CFEF9861BD4F76095586F43940F67CB23A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214144Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:40.248{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4307972BE59C600E37EFF1FEF00C9600,SHA256=2DBC89918A00BB42F1957F59F5B69CFE7758C787552A42F75E45006846505C85,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160439Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:38.838{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52084-false10.0.1.12-8000- 23542300x8000000000000000160441Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:41.535{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=027BF63FE015523133332495346497E1,SHA256=6C1DB79EA28E58AB6D8EB7A9EA8AD9250825224AFCA990CC73007651C10D8849,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214145Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:41.279{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D64106BBB6D8CFDABA3FDB3A21E2A4C6,SHA256=E54126D28374C9C77BD46036B8383FF53BA0E186A03BF30BE86B1FDB294B5487,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214146Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:42.293{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DA0FC569E9CD73B4BE5BBA35C7337A7,SHA256=6D187AAC24FD7DF67F1B5C2F0F2A0636E94FC419A97F15AA31FA95885F0655B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160442Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:42.551{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3343EC8B01B57AB5040AC1C26DB42FD,SHA256=2CCC14D5134E8A1229337DB5CAFB3DDD6257DFCF4195C5116ACD780AB95125CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214148Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:41.232{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64732-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214147Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:43.331{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87CB041E1D85ECA2FE5A5B98A98FFCF6,SHA256=09CDC4C3905C5CE2BAE19463A461C853A1D2DD5713E220D8CDED0D18321BA10B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160443Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:43.551{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5AC5215082D9355B54FD47804D4F688,SHA256=AADA6295672925915CC7CAA8867EC2D6C050D4CCFF229E33940277616B45E887,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160444Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:44.567{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=609C2504CE6F4702A0D2AF3EE544179A,SHA256=7766F2BCB0A6EB3BAC2BA1DF9F887488A1ABC075548071BBA2DE323212C7AC96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214149Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:44.331{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47BC818381E77836C730D1C55C10791E,SHA256=02B04AC0F8AC5CE563289EF90D3BAB58B53541B31DE97642DDF9C2ACDD6E4EC6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160458Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:45.660{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5425-6116-DC05-00000000E801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160457Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:45.660{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160456Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:45.660{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160455Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:45.660{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160454Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:45.660{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160453Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:45.660{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160452Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:45.660{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160451Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:45.660{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160450Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:45.660{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160449Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:45.660{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160448Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:45.660{C6197713-26A0-6116-0500-00000000E801}412528C:\Windows\system32\csrss.exe{C6197713-5425-6116-DC05-00000000E801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160447Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:45.660{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5425-6116-DC05-00000000E801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160446Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:45.661{C6197713-5425-6116-DC05-00000000E801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160445Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:45.567{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DC3B7C9B11FE76ECC29368A75ED7E7E,SHA256=57DCB4BD9DF80E84C120D8826F9BF0E386FE45806D8F4315E1809DA63824E36F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214150Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:45.346{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F88588108870E8DC5E0ED84EF9C2EE2,SHA256=F68C37FA10120944A79C75FC94622310114B2D5AD1F662765FC038AEE91C286F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160485Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.848{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5426-6116-DE05-00000000E801}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160484Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.848{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160483Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.848{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160482Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.848{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160481Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.848{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160480Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.848{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160479Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.848{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160478Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.848{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160477Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.848{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160476Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.848{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160475Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.848{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-5426-6116-DE05-00000000E801}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160474Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.848{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5426-6116-DE05-00000000E801}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160473Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.848{C6197713-5426-6116-DE05-00000000E801}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214151Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:46.361{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=400546B95DFD4E08A7F4BB5BDDE09D39,SHA256=B73DDD2B2388DF4688BF44A498B22707323D505428D6718E6C600B93C3778D9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160472Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:44.869{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52085-false10.0.1.12-8000- 10341000x8000000000000000160471Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.176{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5426-6116-DD05-00000000E801}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160470Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.176{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160469Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.176{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160468Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.176{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160467Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.176{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160466Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.176{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160465Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.176{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160464Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.176{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160463Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.176{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160462Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.176{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160461Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.176{C6197713-26A0-6116-0500-00000000E801}412528C:\Windows\system32\csrss.exe{C6197713-5426-6116-DD05-00000000E801}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160460Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.176{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5426-6116-DD05-00000000E801}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160459Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:46.177{C6197713-5426-6116-DD05-00000000E801}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160490Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:47.850{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D7F27C7D7A07C395A43C7339A9E2430,SHA256=C3E3C20C9411058B5BEB9327FED59A92F65AE8F25BE387E339A118F59A67B99C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214152Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:47.362{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=396FC0BD9239D052E500FCB88AC611A9,SHA256=A68AA1C44D0E2B57BF953F0E7B4B3D151394078B2DD2FA44763BCA9264F26DC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160489Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:47.051{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2DB466F63B69A2BE52625441C9D692C,SHA256=F51C525A2C4EC8763B35C991D79217A98F2A6CB8979DA4D1CE7303448BDA8EF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160488Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:47.051{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2305109B1155570F123269343B4E24E6,SHA256=11A7E530096B5383C2D3BBEFAC2942E5006FE37FFB5D5DCCA871DD97C0E451D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160487Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:47.051{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2A9FB1E5768591B12877286FBFAE14B,SHA256=CED20F72916066FA2D9F035ADBEDFD3C9EDAD4C185DE798A95C4920BF43344B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160486Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:47.020{C6197713-5426-6116-DE05-00000000E801}32441036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000214153Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:48.376{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E6B780E48BCCA06177DAE952A8D7A74,SHA256=2E783D667F1FEAC10C24A8AE8F4E65E9DCBF2C538333B1FA21694BC2B4B1B53F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160506Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:48.857{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8D3494ED45AE0C04657A0888854003D,SHA256=A16D43C902252F542792CE4D4AA6286F502487830B4DBCC8B9B8C7BF470B538A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160505Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:48.616{C6197713-5428-6116-DF05-00000000E801}3460220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160504Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:48.412{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5428-6116-DF05-00000000E801}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160503Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:48.412{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160502Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:48.412{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160501Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:48.412{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160500Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:48.412{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160499Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:48.412{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160498Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:48.412{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160497Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:48.412{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160496Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:48.412{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160495Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:48.412{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160494Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:48.412{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-5428-6116-DF05-00000000E801}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160493Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:48.412{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5428-6116-DF05-00000000E801}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160492Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:48.413{C6197713-5428-6116-DF05-00000000E801}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160491Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:48.241{C6197713-26A2-6116-1D00-00000000E801}1892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=7437DD3B54D1F17730CF8766724DFA6B,SHA256=69C997B67F7E7A6FCA3EA332C25CA817950327E6931C8B821E0C9BBFA52D78A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160537Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.898{C6197713-5429-6116-E105-00000000E801}28364076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000160536Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.881{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=291697D67CCA8AE1DA070DC1466F5F0B,SHA256=F7C26EEE11E18941D8B36CDD0806350A816FDB42CF305CBA974A4F6E0796F3A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214154Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:49.391{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD408DF702154BF3ECD56AF30C54BD70,SHA256=F1BCFD0BA8059B2CDD69BFCC1CC735B5867E826D7DAC96F16A1CBF3647D16A75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160535Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.644{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2DB466F63B69A2BE52625441C9D692C,SHA256=F51C525A2C4EC8763B35C991D79217A98F2A6CB8979DA4D1CE7303448BDA8EF3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160534Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:47.887{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52086-false10.0.1.12-8089- 10341000x8000000000000000160533Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.582{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5429-6116-E105-00000000E801}2836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160532Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.582{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160531Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.582{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160530Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.582{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160529Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.582{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160528Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.582{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160527Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.582{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160526Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.582{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160525Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.582{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160524Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.582{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160523Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.582{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-5429-6116-E105-00000000E801}2836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160522Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.582{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5429-6116-E105-00000000E801}2836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160521Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.583{C6197713-5429-6116-E105-00000000E801}2836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000160520Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.363{C6197713-5429-6116-E005-00000000E801}24042384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160519Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.082{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5429-6116-E005-00000000E801}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160518Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.082{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160517Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.082{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160516Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.082{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160515Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.082{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160514Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.082{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160513Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.082{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160512Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.082{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160511Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.082{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160510Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.082{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160509Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.082{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-5429-6116-E005-00000000E801}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160508Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.082{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5429-6116-E005-00000000E801}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160507Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.083{C6197713-5429-6116-E005-00000000E801}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160551Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:50.881{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=379938496260AA2A0C568D454E9891D6,SHA256=FEE352C07E4E8385D13E945396728B8DFB3793B6661559B4FC3C53F87D09728E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214162Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:50.658{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=C206F231801E8982FF5C4EC9B27410ED,SHA256=D96764B55135B3B03CC06CB9E223BA3348F7AB217A9E8FFCD96BD19752BF9A74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214161Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:50.658{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=B4A09D2AE6175CF7AB77019DBD5E92C5,SHA256=7B3DC78D30C0576FAAACC20344B3943048F2256DC4BFC31D2DCBF08E44BA0053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214160Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:50.658{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=AA2E7C4FA956F6BF549B32B52C3A7458,SHA256=16DD5220A28DBF7E8826BB3E1A4F370DF5986D03E17D64406582DEEE79CC4C93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214159Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:50.658{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=828C1F2CD1011FA312BC3FEEBBCDCEAC,SHA256=4578C7E7AB9B10CB13A1513296137B5D259A95202A6C72A8E2F87079935205DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214158Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:50.658{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=E581E741AC096B26D9DD6ECB92228F10,SHA256=F532275F5B93C4C0F4C154EEE7C2E44A66204B244DC0B0FEC7D1969FBD93583C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214157Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:50.658{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=3E1DCA3E6504CE60AF26E0D77082F377,SHA256=1C1336618A99491F62EE06F205276BAB6584F5F2E061DA085223D8391398FCAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214156Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:50.409{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=424ABE0708F5C197B4D0625EC4328E08,SHA256=6BEC62A52530FE542DF65A7DB2F6FDC13CC56660530012E6AE013A755F8F8043,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160550Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:50.084{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-542A-6116-E205-00000000E801}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160549Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:50.084{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160548Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:50.084{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160547Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:50.084{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160546Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:50.084{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160545Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:50.084{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160544Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:50.084{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160543Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:50.084{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160542Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:50.084{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160541Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:50.084{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160540Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:50.084{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-542A-6116-E205-00000000E801}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160539Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:50.084{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-542A-6116-E205-00000000E801}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160538Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:50.085{C6197713-542A-6116-E205-00000000E801}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000214155Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:47.215{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64733-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160554Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:51.897{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A94ECD08D541E52D61A59116EE9E3F8E,SHA256=5279A46066B83C0655DAC403B906E9E30D84F3D91E172C00A8BC989D87568BB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214163Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:51.442{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CD6E089593B45C6AAFFB12B34C253E9,SHA256=5B79A82F0E77F130D4A8B2B53C943ACD50A668EB96F05186FFAFAB9BC18315CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160553Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:49.893{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52087-false10.0.1.12-8000- 23542300x8000000000000000160552Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:51.319{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05D38038BE98C4E499BB8D83A2C920FC,SHA256=4C00445A898855A9ADFA9C0BB5B802FF6BF1B8713F7A8E09406062C15C0A17C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160555Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:52.913{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF9E733DA6013663E0651D743486AA5E,SHA256=8D8ADA51A86753618FD712B87A786DE3445BADFF7BE3EF3AC6A0971262A8A520,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214164Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:52.457{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D24FF53E6199E174D4B82C5882529324,SHA256=E4CD05FFECF7B04FE0F95DF92646AB540D52DD91E5E6698477DFCBD179883CCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160556Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:53.913{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEABF2859A4914692CAAEDBDB60B6D48,SHA256=AEEC4C98DB5D8BB799122072BF9DFB1C317D003FCE1757B6B0514D70543B137E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214165Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:53.457{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C401CC0D3B37A29F7A954E5C19662D29,SHA256=699E45D2E04CDEB107EB76179C3530ABFFDB8921D42DE5831C145C838AC69179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160557Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:54.913{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=487A73E39AE90FC8C817C6CEB91F6536,SHA256=E20B68CCD2941223733502C5F239326636DB3F83F5D9C517316092C991ECCEA7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214167Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:52.370{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64734-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214166Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:54.473{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8B6D38B89080FB5256B04EB34B3FC94,SHA256=86E97D4AF0DBADC25B0CF85B9BA08EAAE0811B08D38946D5E32F82B0131DFC4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160558Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:55.913{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D3F25A72A5C840158B36DF09AAF549E,SHA256=8D586C290F3B92B3E0BF3567E58A3A82BB9D8775E42B1E5321866B592799D04C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214168Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:55.480{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83225359077D4DBF9EEC1C0974CAE62D,SHA256=510D0BB9016D7ACEF26921816C9D815AAC078E748EE9F505D9C381F15CE32A2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160559Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:56.913{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=376892D49D3C12E7CE0ECEDD8EA13031,SHA256=2F0E25AF1488C97AF09F35FD5F1E325D32A3FB8EAFD0EF76E765C9F9B1578705,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214169Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:56.513{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA770EBB257B9D07444BBCF7118DBE82,SHA256=F7B903B48778811A61897F455D107D46DF57B430D51425F382D720F7C6E3ED37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160561Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:57.944{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7739A03E13F8876C87A3CCEBEC6D738,SHA256=326E0E93B9C9ECF6C386F4AF8142ED5B3590DF350580964EA9E62903521B54BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214170Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:57.532{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D39BBD529896D6B6ACB8E6668F89F234,SHA256=AA38302BBF31771B4535F8BD884D01C172A104487D51B3DBF57127E35766468C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160560Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:55.700{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52088-false10.0.1.12-8000- 23542300x8000000000000000160562Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:58.944{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BF875E9C32489F67CE074BCC7F05B69,SHA256=6D072D81BB9D05C717BAE8BBC29A5C99C79CCBC2CC02EF3842CA5B237AC0DF5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214171Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:58.578{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09192A0DC422B2EB602627D64ECF1B1A,SHA256=0D16A9539B98C8524A4B7E7AE3FB5A8C3EE50E0C4A1C87212235AD5D903674BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160563Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:14:59.944{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94673D4D620946A59111A667ADD10C05,SHA256=66D17A0FE8CEA62B5D3B6DA7EB2D4377EA63A73816B1B56D66936ACDF110F367,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214180Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:59.731{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5433-6116-E706-00000000E701}6628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214179Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:59.731{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214178Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:59.731{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214177Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:59.731{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214176Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:59.731{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214175Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:59.731{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-5433-6116-E706-00000000E701}6628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214174Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:59.731{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5433-6116-E706-00000000E701}6628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214173Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:59.732{079FE16A-5433-6116-E706-00000000E701}6628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214172Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:59.578{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCC167C8EDB531BA648AB7590565815D,SHA256=D7B8CF399DACDD72A915A8A2BC49C8B16E0E2482A44725D3BC1FE32A3AEE507E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160564Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:00.944{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0801CD219575FB11464DA6877659AC34,SHA256=07BF7F529146337EB64D831BE54E11541260F46AEA522B3825251A6B69320022,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214202Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:00.893{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5434-6116-E906-00000000E701}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214201Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:00.893{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214200Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:00.893{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214199Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:00.893{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214198Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:00.893{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214197Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:00.893{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-5434-6116-E906-00000000E701}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214196Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:00.893{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5434-6116-E906-00000000E701}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214195Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:00.894{079FE16A-5434-6116-E906-00000000E701}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214194Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:00.746{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22D8FA1409ACA4084EBFF6227297E698,SHA256=91380291DBBE2708DD3316FEBE8CB95D034FDAE0F806F3C63860C74D005C5A99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214193Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:00.746{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79A074304F1231387D862F8CE4012180,SHA256=C36E69777E50E21093F53B511FBEB319274B72FCD8B4D0B75C20C7569C44E2A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214192Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:00.593{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E182865D05AB0D9AADD93D2512035BB,SHA256=D857C4F92BBAE49E3B17FACFB0E42CA2B0F59E3F219F07F8D6A2769E067E03BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214191Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:00.393{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5434-6116-E806-00000000E701}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214190Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:00.393{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214189Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:00.393{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214188Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:00.393{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214187Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:00.393{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214186Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:00.393{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-5434-6116-E806-00000000E701}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214185Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:00.393{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5434-6116-E806-00000000E701}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214184Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:00.394{079FE16A-5434-6116-E806-00000000E701}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000214183Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:00.178{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\SiteSecurityServiceState.txt2021-08-11 16:30:08.892 23542300x8000000000000000214182Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:00.178{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\SiteSecurityServiceState.txtMD5=29871BC5D559CD54608CCE82897CA336,SHA256=1A2B4EC4BEC3643C8DDF8662A16670E6333D562D8FC57751D63E83466DCCF8BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214181Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:00.015{079FE16A-5433-6116-E706-00000000E701}66286828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000214205Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:01.911{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22D8FA1409ACA4084EBFF6227297E698,SHA256=91380291DBBE2708DD3316FEBE8CB95D034FDAE0F806F3C63860C74D005C5A99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214204Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:01.661{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A1089CD7970EBF572EE8BEE2B4669FE,SHA256=1C9651FED9F6F1B0E268CDD21D28B1D402CD9CB1B41577F18532EAF16E9B4C42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160565Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:01.959{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC7B80CEB452CD1A14CB4C36078A458A,SHA256=1BB9CEF62598CEE5B1D973D6084545AF791E3AA7F9CDB0603FCE3040F117AB8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214203Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:14:58.185{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64735-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160567Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:02.959{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C3EC7302AAD6C9EF0A0C31F70B39B57,SHA256=546E14C9B943666941D89C82CF2111C9FC4A80CBC71B4A2425437326A4B3CD83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214206Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:02.676{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B2806D2D503233FE768CEB3F2272164,SHA256=B88AC16B090BF5427FF3E0F10D121B832F56A4C31B444EDE64719F1EF98EEE3E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160566Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:00.763{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52089-false10.0.1.12-8000- 23542300x8000000000000000160568Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:03.975{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FF389F71244F7AC1FAB7DEE99FF559F,SHA256=CD335B8AD59A55A8F8B376CA16148922C0980821FED68CD54FF3262DA3658B31,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214215Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:03.775{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5437-6116-EA06-00000000E701}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214214Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:03.775{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214213Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:03.775{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214212Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:03.775{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214211Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:03.775{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214210Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:03.775{079FE16A-269F-6116-0500-00000000E701}412428C:\Windows\system32\csrss.exe{079FE16A-5437-6116-EA06-00000000E701}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214209Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:03.775{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5437-6116-EA06-00000000E701}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214208Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:03.776{079FE16A-5437-6116-EA06-00000000E701}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214207Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:03.690{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B97BD9C4556F2E2D8F9A4F9266B1CB7,SHA256=628DBC8BB3B72CF7B70A942750175F49322E19C74624B23E61FB91D282AF1156,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160569Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:04.991{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2AED5BBBC3BB4616135BBEF31DB1F3E,SHA256=EAD84F29D27FD4A69F84BCE4D226F2FC38B5B03CFE65F94A0754FA8A74ED4624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214227Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:04.696{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2901FADFBD10B50FD17B37BBF46842A9,SHA256=FC47EC79802C6158FADD2DEAE2DF7D2B984453265265FDD284A08D3C308825CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214226Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:04.680{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F16BA55FA83C03CB195D74985DA3D583,SHA256=4676870169A243A9CB5F773BA680EEA982B81E4BB673B6D33D9DA5388414F644,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214225Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:04.658{079FE16A-5438-6116-EB06-00000000E701}61806172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214224Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:04.380{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5438-6116-EB06-00000000E701}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214223Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:04.380{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214222Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:04.380{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214221Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:04.380{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214220Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:04.380{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214219Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:04.380{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-5438-6116-EB06-00000000E701}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214218Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:04.379{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5438-6116-EB06-00000000E701}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214217Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:04.379{079FE16A-5438-6116-EB06-00000000E701}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000214216Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:04.180{079FE16A-5437-6116-EA06-00000000E701}39244456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214247Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:05.983{079FE16A-5439-6116-ED06-00000000E701}49127008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214246Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:05.730{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5439-6116-ED06-00000000E701}4912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214245Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:05.730{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214244Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:05.730{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214243Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:05.730{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214242Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:05.730{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214241Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:05.730{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-5439-6116-ED06-00000000E701}4912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214240Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:05.730{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5439-6116-ED06-00000000E701}4912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214239Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:05.731{079FE16A-5439-6116-ED06-00000000E701}4912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214238Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:05.698{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E42359651115686F71C74C41AC1FD63E,SHA256=66CDA6C513537EA934D01D4FE3DE8F121AA01E9553E5480CAB54650CEAABC93A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214237Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:02.783{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local64736-true0:0:0:0:0:0:0:1win-dc-414.attackrange.local389ldap 354300x8000000000000000214236Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:02.783{079FE16A-26AF-6116-2900-00000000E701}2980C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local64736-true0:0:0:0:0:0:0:1win-dc-414.attackrange.local389ldap 10341000x8000000000000000214235Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:05.058{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5439-6116-EC06-00000000E701}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214234Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:05.058{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214233Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:05.058{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214232Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:05.058{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214231Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:05.058{079FE16A-269F-6116-0500-00000000E701}412428C:\Windows\system32\csrss.exe{079FE16A-5439-6116-EC06-00000000E701}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214230Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:05.058{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214229Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:05.058{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5439-6116-EC06-00000000E701}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214228Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:05.059{079FE16A-5439-6116-EC06-00000000E701}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214249Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:06.714{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50B0ABA44627CD2E24C58981D870CF15,SHA256=863404F2BA1E856E11DEEBE46953680C10D74FC78F3EFD88834029FE892C3DA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160570Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:06.022{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB83D676D4E3542D1E44512D399C18DE,SHA256=D06C057A28FC300E3471D1DD94C78230E57C637E6E3689ECA2F321955C296756,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214248Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:06.081{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05261178859E385C26258A766A133C8B,SHA256=512EBBCC8D45C338AEBFF66476AF22D884CE442F5D16E3F0E55A83ABBC4EE1D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214252Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:07.729{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB564506F6B723C4EA85B45EA60AB19E,SHA256=70125C5F45241841F018391E5CFF0A35B9E48B281EBEA28D66107097E611A5A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160572Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:05.841{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52090-false10.0.1.12-8000- 23542300x8000000000000000160571Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:07.053{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF8C932BDFF482A41B1DD6970FD9A9B7,SHA256=49B757CF87323BDE823118DB654849C6175893C5337302D2934D6874CD67DFF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214251Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:04.182{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64737-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000214250Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:07.014{079FE16A-26A2-6116-0D00-00000000E701}8921116C:\Windows\system32\svchost.exe{079FE16A-2850-6116-B600-00000000E701}3524C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000214253Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:08.744{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CE5C2B1CE5849F4CEF6A9818F25EB02,SHA256=E76987FEEC5F6FDD89F435DA2989DC4EF4D574FA51D65252A36F687A78EACD30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160573Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:08.053{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCF6BE1FF06FA596D17C2BA84AD34A59,SHA256=F160775008A4F69C46C09E23C82F205EE774E543B76C56B893A36692A743E84A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214255Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:09.759{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA22F90C3C6C507FE2C312BD38FEA315,SHA256=4941105C930A18EA906925151E2CDAD92FE890835A694104BB579EE4C99599D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160574Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:09.053{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F50B4262CEA36F28BFC7D56D71BDE6C,SHA256=9E4FF759BCFC87B7FF59B2CABC4DCB33EF579847EDFE7142EFEC641D144E092D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214254Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:06.185{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local50210- 23542300x8000000000000000214256Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:10.777{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=624B365E28D4C1DC7FF513DED3F1DF93,SHA256=304B51DE23EA4FCF6347D66DB40B1D654031B00788756F44465A17F385521BD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160575Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:10.116{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=647946E6870FEBA0CE98D4B1FC910990,SHA256=1D062F2F1639FA8899A56F8EF5E5F06C7767DE91B038B29A276BBC76F3C42577,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214257Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:11.794{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AD4A2D8026802499D4F8E8E766FD62F,SHA256=62F277897A350FD6D5676B19D692099C798B9A6B6D95ADE186B6911A6EF64F4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160576Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:11.163{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5165DAA50B9023F39B7AC5BB1CC7B86,SHA256=54B5C2FE13FD71A4358D35A5E3A799E36B42887B7343B7F4F156C0A46AC9C48E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214261Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:12.841{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A077CACA9268F433C70B0320C1213B6,SHA256=34D83A0689B30A331B6CBCE54E5CB0F7BE72DD8CC1002DD68B8442ABEC2F3CF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160577Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:12.178{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8B69FF3E390AE790C3B0F2959B7A007,SHA256=8A9D71F79F9A7B02D44AB2B8C99BFC8CAA32D65006726C89866F703323B98A74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214260Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:12.457{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214259Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:12.457{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=F0FFAB7ABD4D6ED03D0F53EF5E8054F8,SHA256=8986CC447507D3D02943F189D36AA1BEE5BA2925878AD06210C7EA5F13323C70,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214258Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:09.319{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64738-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214262Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:13.841{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A780DB2FA90DF634424273EEBE5FE722,SHA256=C502B86231DDC030B44572A3EE5EFA7736D6B3F06A4FC67BC127AE36C6ACACA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160579Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:13.194{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2379E1360B1B97DC57F640A005D9AC98,SHA256=627E14FB806D478FE1FA75C85D88FA3D9B20D8565EFD5DE6EF711CC08F06D650,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160578Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:10.903{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52091-false10.0.1.12-8000- 23542300x8000000000000000214263Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:14.856{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9E1884D806673B0475B0CBC8D9EF1FB,SHA256=38688F5EB3A63E3C425C9B5F934AB5E5F5264A642243E7089E029832918684BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160580Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:14.225{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9511AA083441E4D53C409470B075154E,SHA256=BB13480C7B6DE48AF1D13EAF760F035A4B58ADC2DD3521F7E9A3260162023661,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214264Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:15.874{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD672B454E787F6E7877D0A2F6E2E4D1,SHA256=31AF901E85E325D8A50C7BAAEBA118D391C24BD9B550BC46B4FB00858635098C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160581Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:15.272{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB5E67138676582C04EF7DFEF327E05C,SHA256=8939B032722EBC0646C041FD94E7A13DD11CA0BF28DC2ACD227577C7A73EFC77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214265Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:16.894{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BE7047E38773C4E4EAB1C3A207E90CC,SHA256=D898585BCD8F19D00E00F5F2D6D8BC3C914298E20B91E503DD29E301B9552E1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160582Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:16.272{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0CDE22D47CEA6AA3F94B08330622221,SHA256=9F03902C30937C72D87FF70042920792AF197A9079733B29941A173B937F5D82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214267Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:17.909{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44860B64EA8576DA3B3DB5DB09A161C8,SHA256=E2B42CB0977EF55FDD217B0E37B829DA6E75DD8005151441D3A3566A53F46C9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160583Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:17.288{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D7CBC5C43DA87CE1DA35EF6B7471909,SHA256=25F5AA76A311C3E3B92D3CC92E457F3C36854873A641EB225327E7785CC836EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214266Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:14.332{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64739-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214268Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:18.955{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EB018587332F752904F20B8C857BD16,SHA256=270F804584C5E67E462D12B45A237A54ED2D3145497DC16C40C52ABC5A24669B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160585Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:15.904{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52092-false10.0.1.12-8000- 23542300x8000000000000000160584Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:18.303{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D74521940BE9F6F313D351CCFC75237,SHA256=077A8C0F5743FFEBFDD2205B417877F8BA67C7A08F07D349C66BD19738C04830,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214269Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:19.973{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9CCCE8E05B8971ECF48F2FDEBD7EA20,SHA256=676B26DF676FB5430E5D91B4C1A03822EC0DE3F41B8C557FE39EEAA5A901D7D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160586Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:19.335{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DA3883C60B837CB1DA109D4F6088339,SHA256=436C5C64BADD5D5CFEC02644B7E60315AEF69A739F620D464D923EE41638828B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214270Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:20.991{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEF7B3F9152FC6B08A3B55A9D8A277EA,SHA256=8BB68ABF7B821A616A3C190BC8F9497E615BCA0F215DB9B6A2C30DCCD4B549B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160587Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:20.350{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ED5814792E25668EEDE14FDCD512C48,SHA256=A02B78274C267364CF5A7588AADEA9166C289FAA95F489B98CA2A694E297D588,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160588Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:21.381{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B67E2AEAF1AE8FB073067EACE78EBD38,SHA256=C81458992B1208D544EF4EDE55B2871A7064CCFFA41D415E6638F2237C06C1E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214271Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:19.347{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64740-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160589Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:22.381{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C290C3113A61306F81F2AB3B9726F9A3,SHA256=72244E0B2B938C70A56F45ADBC641FFEB2E2CAAEBDEB48420A267240D3173122,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214272Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:22.006{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=752EBD9F0F8152CF58207725ED0AEA08,SHA256=6026864612C0A95A50087EFDF7D2598AEAC260E0589AD0B919348D47663B618D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160590Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:23.381{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B5F59E1627D8E11E2E5E8BF98381F7C,SHA256=78B41AD931157EA1072067B720572881DE966C9F9AB43C733F7F8A59E8245115,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214273Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:23.021{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E0EA640F22BD9C6430E3F941BDF21BE,SHA256=0936F1749A6286986796BFCC48547B2A7C52A3D33A33E06B6171E8540221BF05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160592Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:24.381{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA5F34D3D9370CB6936FCF86D8C39EA7,SHA256=D26F92E65584C624D4B74F737848F63722B4D602369FD1ABEBB9080DA0DDE737,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214274Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:24.036{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EC680A670E1DE9C8D5C939624E4F07A,SHA256=16BCDC418A9CB88ED03802974739283BE0448A814E23DDCD6CF72EAA8B8748B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160591Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:21.872{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52093-false10.0.1.12-8000- 23542300x8000000000000000160593Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:25.381{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A32A2D095CB3ECC5002AFD64912780ED,SHA256=6214E17961B832851302A510E9BAC48028A193DB6D104F505AFD23CB8FF6E9EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214275Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:25.036{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5444EA6F7BE02F91C3AF0BE71C1C6B48,SHA256=4244D7184D6FFE970DAC322B2C9324D8C4387F6EB6D6ED5F1BF0D2B60347AEA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160594Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:26.381{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=775210C18840CBDF9ED91A7C9A40684F,SHA256=D777E695CEEB13D112FE8DC0EB49E4B2C540AFB7C0E56D17ADA1A8DBE9E8D161,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214276Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:26.051{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9C27B828A687CABC55EA88047101276,SHA256=268D143E2140262E5360C0D14C6A2F727ED43150C0EBA2DF2282BD9811A25FD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160595Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:27.381{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66444EE008493E9AD08FFC39AD4F391E,SHA256=2FF5EE32519FB3EB919ACD3E965F2A93AC8AEFD5026499B8A4C9CC3339C8B5DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214278Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:25.374{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64741-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214277Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:27.068{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E19BBBB7696A35DECCA0E4B51BCBFED,SHA256=5007B30A0BD553622A36DD0D4E5D526E20FC560EEB4850F7F42A5541B7F04AD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160596Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:28.397{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BA96086678AAB3D394E5BC860EF67F9,SHA256=10FCDC5366F952D2CFD16E50A17CDCC58EC50D9C88C4B6F5A15C07A6D273A6E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214279Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:28.103{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BCE8F153CB3C9AA565C832CB8CBD3C4,SHA256=3C26198EA0371CA9E8223DF24F07BE6955D129229FD35D179F86F1D472E06A92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160597Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:29.397{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFF83FB99E8923B1236481DE2D2883D3,SHA256=7A78FE7C2D7C860887B8DA43D358D3588434C4C3E757343DF717C91D05AFEA54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214280Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:29.117{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACDF336185FDCE31F4EE18290DE5F0F4,SHA256=4360AE0C28BD26F278DBFC4D67DC2602F1E0B6E8A83628CDF93B12A42BE81811,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160599Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:30.428{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3560947A0CE955E4DFFE5169788DADA,SHA256=4298D7637C7EE8C8A83BCEAE0FDB726919FD03B9D5676453388B9DB5D7A28A83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214281Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:30.148{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A87322D4963A77FF5C5F008F623A056,SHA256=02FF5CB569D3F29D5831E009E4D23BF48D7D2B39A2CA46CEB5E8C18C71E30D86,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160598Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:27.732{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52094-false10.0.1.12-8000- 23542300x8000000000000000160600Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:31.428{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=478C375BCF96F81CA6EDEB20E5BE7479,SHA256=3FD72ED6D6F907A6E6B635AC4E3D70401106029CD3913FB665CF028475C403FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214282Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:31.166{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77871B1F8C7BB07EEFB4CE5AA1CB7629,SHA256=E3BB4BAF3D8B9B06E16F1DDC6C6B3CA92BD491BDA85914F232BF9EFBB9EB6042,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160601Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:32.428{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FB0CDB1E5E66EC3F369916C40EABE73,SHA256=8B6271DFDEDA0E8A80766322C9EC49CC10CF133A47AC44D905414A99CE4DD5FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214283Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:32.187{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2F5934E65EAF3F675A00C144E16885E,SHA256=66045B52A6B8FD9D88D00C96050B7110C24253AB1724590A6E220E2FB75F1E4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160602Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:33.444{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDDA02904A973B305BE7463A533CD731,SHA256=20C2C721CF7CDEF73592A73249944ADD8C8B250C68CF2F4D274FA6E6894B92C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214287Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:31.189{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64742-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214286Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:33.217{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85598CA1BA3C6A5CB36EBA0515388D30,SHA256=2825CD2F514AA12F9EA4FE942E71ED35A7C02EC9BD42CF1B04CA8DC8A8FA0A14,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214285Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:33.033{079FE16A-26A2-6116-0D00-00000000E701}8921116C:\Windows\system32\svchost.exe{079FE16A-52EB-6116-BA06-00000000E701}6784C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214284Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:33.033{079FE16A-26A2-6116-0D00-00000000E701}8921116C:\Windows\system32\svchost.exe{079FE16A-52EB-6116-BA06-00000000E701}6784C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000160603Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:34.460{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEE48C3B6C817ADBACC2A0D4E819B08F,SHA256=0E83E35F4ED0B8FB956E3E3E3911605B51398EF4B0573F9EE3688B31B100BCBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214288Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:34.247{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B9B8ECABC9385D845E5E9893ED5D3C9,SHA256=E91021800E551D4136B1343DDC0222376612FFB4ACE968558F9777BFF07C8DA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214295Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:35.830{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=A699B259693935B7C19D9A0732228028,SHA256=273B72E8B07240902ABC3AAA8DEE3127A534890BDD3730104B9CE8BBC3982E02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214294Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:35.830{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=1529A9B69F925BEE61316856814EE0AC,SHA256=26C0FF0F4B0BCE9804174343B845CA3970AD4C593CA0F5AD060B8DBF36B2D134,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214293Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:35.815{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=8A73D5D8E4AA094B13C497EE9F79FF6D,SHA256=4C3BC6755BE4A0CFC40E5C9696F43335AEF0CBF98A046E4D94DB07D9CFD9FE2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214292Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:35.815{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=6B7454562D3DCDB12914DF5FAD082C31,SHA256=9954E004B5E06AA0154790C03C89DD97BC6942E4CD797BCE2A0EEFF2179302BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214291Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:35.815{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=F8C97F9190D4BCA0EB87F8A410EE7E84,SHA256=A2C672E85D02776F29F9F36837C1D57476BD666D2368F8402D0B3BB9308D1FDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214290Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:35.815{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=D2235BB0677190430917743ABB328AD6,SHA256=717D6D0D530D3FA9AB5169AABA461254FD6F9A42256573FF06BB00F825CAB779,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214289Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:35.264{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3695AA390101D6FC4D7DA4258F7474A0,SHA256=CC2B13ADB0F0E742F7F44201BB84A87B9C426D9E54F5E6DC24E914A1250633C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160606Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:35.459{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E89ADCA7A04B89B9A3F9F2AD14752B8,SHA256=994E359C8246B961C33E1EE41BEEF06A1F2A408C1D714EB0C32D01990A7362A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160605Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:32.888{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52095-false10.0.1.12-8000- 23542300x8000000000000000160604Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:35.288{C6197713-26A1-6116-1000-00000000E801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=AB77899212E693F0D9F06882AFF93903,SHA256=89D5D7628E6058597EEAFDA763D6A3A6AECCDE1B5061265A80764E3DFF23DAAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160617Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:36.461{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E36D3F2B4560389B80309EA6D28906A,SHA256=906766B9CB099187A9035D721DE6F12C09293EF476F0C7B93424B3D4CE20D77A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214297Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:36.861{079FE16A-26A2-6116-1100-00000000E701}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=222FB6676401E3A7CC73741666CF7F5F,SHA256=CE7C1C271E79113868C2FA12FB7D95784B5D068A402656AA438FB7D706428892,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214296Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:36.282{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3DD3C677A657BDB8EAEDEC740AC545C,SHA256=F0DCE57771FC0216F2C1BBC8EFF0EB93D5BA26FD060DF40B9513FB9EEC3BE29E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000160616Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-SetValue2021-08-13 11:15:36.148{C6197713-26A0-6116-0B00-00000000E801}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000160615Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-SetValue2021-08-13 11:15:36.148{C6197713-26A0-6116-0B00-00000000E801}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00b2a0a3) 13241300x8000000000000000160614Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-SetValue2021-08-13 11:15:36.148{C6197713-26A0-6116-0B00-00000000E801}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7902c-0x2848b67e) 13241300x8000000000000000160613Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-SetValue2021-08-13 11:15:36.148{C6197713-26A0-6116-0B00-00000000E801}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d79034-0x8a0d1e7e) 13241300x8000000000000000160612Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-SetValue2021-08-13 11:15:36.148{C6197713-26A0-6116-0B00-00000000E801}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7903c-0xebd1867e) 13241300x8000000000000000160611Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-SetValue2021-08-13 11:15:36.148{C6197713-26A0-6116-0B00-00000000E801}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000160610Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-SetValue2021-08-13 11:15:36.148{C6197713-26A0-6116-0B00-00000000E801}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00b2a0a3) 13241300x8000000000000000160609Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-SetValue2021-08-13 11:15:36.148{C6197713-26A0-6116-0B00-00000000E801}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7902c-0x2848b67e) 13241300x8000000000000000160608Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-SetValue2021-08-13 11:15:36.148{C6197713-26A0-6116-0B00-00000000E801}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d79034-0x8a0d1e7e) 13241300x8000000000000000160607Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-SetValue2021-08-13 11:15:36.148{C6197713-26A0-6116-0B00-00000000E801}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7903c-0xebd1867e) 354300x8000000000000000160621Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:35.486{C6197713-26A1-6116-0F00-00000000E801}920C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse34.201.15.93ec2-34-201-15-93.compute-1.amazonaws.com54706-false10.0.1.15win-host-867.attackrange.local3389ms-wbt-server 23542300x8000000000000000160620Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:37.476{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29B5E2D441CDC7A84BE61F2C7139E4C5,SHA256=420370D6F78213912207559370475F530BACAF7C06C4E1BB2D9D5BDCA40FDCF4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214301Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:34.929{079FE16A-26A2-6116-0F00-00000000E701}292C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse34.201.15.93ec2-34-201-15-93.compute-1.amazonaws.com54701-false10.0.1.14win-dc-414.attackrange.local3389ms-wbt-server 23542300x8000000000000000214300Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:37.297{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7B85504EA862FEA314F6BD57D09ABA9,SHA256=FD184076741E75D190175B7BF169E1F0CB7CD7AFD7564D4E31BBDC12CF7B1214,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160619Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:37.195{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB20A77EBE152776B41BA08D2968F685,SHA256=98F06922E4EC71B268A882CDD314E41D9492ECD5805AC2B6195F9EEE060885A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160618Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:37.195{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5FAECBD23E16F57E11721452922017A,SHA256=4D4375B0FB0A9F1F107905C5BA6AC3E6984AD2A18F40F0A246F4B31C6C97C27A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214299Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:37.197{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D389D6FDF119B44DE5140B3E6217FA7C,SHA256=37E3E263ADEACE9392BB39DC82DB3FD20815BEC2E4EC125B63DB64C57C3CC6B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214298Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:37.197{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4072E30214CE27C9F07D501E4F4EB25,SHA256=6C3E2F8AF7A54611C4024CE521199ED6C4C08F6BB79498BE56BAB4DBB8BB0708,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160622Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:38.476{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=453F6AE4E6A978F01D03CE3A4F3AE83C,SHA256=6CA1B0C859F68748BA6AF2546AD2F24A48D8736ACF8FEFC3BDDB320B92E00D68,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214304Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:36.287{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64743-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214303Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:38.680{079FE16A-26AF-6116-2700-00000000E701}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=7437DD3B54D1F17730CF8766724DFA6B,SHA256=69C997B67F7E7A6FCA3EA332C25CA817950327E6931C8B821E0C9BBFA52D78A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214302Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:38.343{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=901F1FA25A15C319AB8F91AEE06ACD1E,SHA256=FD3E8817B67F5F404A01386F58DD9FC4018E62EEDC14C3057C3D8E3D3705917B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214306Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:36.942{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-414.attackrange.local55171-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 23542300x8000000000000000214305Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:39.395{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=087A09DCCB45AF4B9F3CC89339F97C0F,SHA256=042738DC78FD487742F86E0CED39C0959125AD071B00D96F04088EB0DAB8CE35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160623Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:39.476{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7CB75C127B139EADB21EEDBFA15873B,SHA256=C4D067AFCF2D25791BBB7C760929A77AC09D55D1DD5658E355D496DB72A3E639,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214308Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:37.782{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64744-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000214307Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:40.409{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BC0E58160CF26EAAC802ED59B0236A7,SHA256=0B237DD34E962B3B1FA3E72F064648D0CC2968A2EA6F44706BBB4702133B3D37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160625Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:40.523{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD40DCFEA75019291C8B78AD9222D6F1,SHA256=27F48586784A53E4E7A32742240E7064419CA9D1F5DC000E19FDAB9DEDF4DC72,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160624Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:38.765{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52096-false10.0.1.12-8000- 23542300x8000000000000000214309Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:41.422{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B82092F1F79E17DEF6A0764BC2A66596,SHA256=DF6AD45F8DEB2286B78B2929FCD9275BF6AB4C6C929341DAFB8D25BDD77AF42E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160626Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:41.523{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFBE58BE6865D88E27417DA5F34AC5C1,SHA256=843F16506928B964A476256AA17D1CE40C4B6CEE0045BEA7A8584D6FC4ACDB60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160627Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:42.523{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A822203B26F57E6CA7EB13466CA0BFA,SHA256=DE1FEF44AF911E8618B7444ECE732AE45F153983C8A23857CF0D028AFAB50F81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214310Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:42.424{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D6A901D784374ACF7CDD4DE18DD2181,SHA256=28EFDA7603E6664A5167FAAB5AAE7C57BAC96C3D9A70B9C66579187E81DAB8D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214312Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:41.348{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64745-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214311Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:43.455{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CBCDBAC19EDBAEC422FC9255C2BCE10,SHA256=6BB6341119244A86706713A0217CAED12590EF2D11A294FB8C82A0D80FB3AC36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160628Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:43.523{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74F98A919C6C8600F150CC6994B3D676,SHA256=5B9BE6D3321F6AB5E85389A24248BCF7EDF4A9273B1FCCB2D027A8D901DDDD91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214313Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:44.473{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F16B36ABD20EBF55B9A14FAA7995CBC,SHA256=D3BDAB89BB83773623042FB9B0331EB32F9139D08ACF91AE1FF44B69AFF09DED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160629Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:44.523{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A485E1A155ACB36CAF495B83D4BCCCB,SHA256=857041909A0605B622ED96ACA2E9BFD7467E4B573868AF880BFD403011A3A9A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214318Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:45.922{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=538B5AD62DF83C864A7C77AFC5DAC0E3,SHA256=AAFDF6C4CE4C3628D1A6465DD6ABC92FFBF70B66F9189D7DC26AD3938BD779E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214317Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:45.922{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D389D6FDF119B44DE5140B3E6217FA7C,SHA256=37E3E263ADEACE9392BB39DC82DB3FD20815BEC2E4EC125B63DB64C57C3CC6B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214316Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:45.775{079FE16A-3124-6116-1D02-00000000E701}2972ATTACKRANGE\AdministratorC:\Program Files\Eclipse Foundation\jdk-11.0.12.7-hotspot\bin\javaw.exeC:\Users\Administrator\lockbit.rep\idata\~journal.bakMD5=DB2C69A9D2FF2C7E15545E94F891DB24,SHA256=508A623EA51ED8B89D1CF018DE7F375534291B82F2FD8286D305B68D54A649E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214315Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:45.775{079FE16A-3124-6116-1D02-00000000E701}2972ATTACKRANGE\AdministratorC:\Program Files\Eclipse Foundation\jdk-11.0.12.7-hotspot\bin\javaw.exeC:\Users\Administrator\lockbit.rep\idata\~index.bakMD5=F206172C9A776FC9834ABE664D766F07,SHA256=AFED071B228A87FBBB18D8BF39667792D6912C1D1AD2EA2F4F41DAC320DB8B2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214314Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:45.507{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C99DCF3613CAC7D8DB2D7B6D61C3F5AA,SHA256=8B2B807D0543E14E12B294BF211C9CF09EA1BB8ACA53EF07C647704AE642C3CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160644Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:45.664{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5461-6116-E305-00000000E801}3096C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160643Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:45.664{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160642Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:45.664{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160641Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:45.664{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160640Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:45.664{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160639Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:45.664{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160638Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:45.664{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160637Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:45.664{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160636Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:45.664{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160635Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:45.664{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160634Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:45.664{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-5461-6116-E305-00000000E801}3096C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160633Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:45.664{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5461-6116-E305-00000000E801}3096C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160632Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:45.665{C6197713-5461-6116-E305-00000000E801}3096C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160631Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:45.523{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=735636C0670D5DC8D19BB3679BDE09F2,SHA256=B00B3B180D4403B4D92D75A86C831751E4EBA2B1B4412E47D075CEB3E2B005E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160630Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:43.843{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52097-false10.0.1.12-8000- 10341000x8000000000000000160673Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:46.883{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5462-6116-E505-00000000E801}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160672Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:46.883{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160671Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:46.883{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160670Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:46.883{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160669Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:46.883{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160668Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:46.883{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160667Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:46.883{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160666Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:46.883{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160665Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:46.883{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160664Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:46.883{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000160663Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:46.883{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B00A19E075145EDF03F37E57149755B,SHA256=CADDCC273FA8018B5FBA47CA5D028CFC3E7407D6AABE5AEB9BC8F57E0E8CFD66,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160662Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:46.883{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-5462-6116-E505-00000000E801}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160661Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:46.883{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5462-6116-E505-00000000E801}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160660Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:46.885{C6197713-5462-6116-E505-00000000E801}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160659Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:46.883{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB1C1B61356AB2396F07451741F949C7,SHA256=62B986BA2AE84B001BAF89C4285C24B85AF28F237A8AC32FC56A92B3B23C8CAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160658Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:46.883{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB20A77EBE152776B41BA08D2968F685,SHA256=98F06922E4EC71B268A882CDD314E41D9492ECD5805AC2B6195F9EEE060885A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214319Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:46.524{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01DD265F0294A336771497A7E5C23555,SHA256=8A75036C9854C34FA1A0396818006B903E56695927594D8AABB2298DDB7D91E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160657Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:46.336{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5462-6116-E405-00000000E801}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160656Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:46.336{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160655Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:46.336{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160654Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:46.336{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160653Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:46.336{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160652Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:46.336{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160651Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:46.336{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160650Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:46.336{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160649Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:46.336{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160648Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:46.336{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160647Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:46.336{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-5462-6116-E405-00000000E801}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160646Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:46.336{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5462-6116-E405-00000000E801}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160645Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:46.337{C6197713-5462-6116-E405-00000000E801}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214320Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:47.526{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C12FD75D1EBB22CFB6F4EBCD5D8134A,SHA256=E24289899E8280FB7206554E190B4AAB6ABD7C7062F2882C2A370761D192B592,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160674Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:47.070{C6197713-5462-6116-E505-00000000E801}31121196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000214321Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:48.541{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=885EA85D1C978942CF6449E7BAE16BA0,SHA256=2409BA6D0E94A66C77CC6FD48CF67EC07CEE72076506D167AF4FC5700254B86D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160691Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:48.586{C6197713-5464-6116-E605-00000000E801}39881264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160690Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:48.414{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5464-6116-E605-00000000E801}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160689Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:48.414{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160688Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:48.414{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160687Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:48.414{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160686Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:48.414{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-5464-6116-E605-00000000E801}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160685Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:48.414{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160684Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:48.414{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160683Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:48.414{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160682Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:48.414{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160681Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:48.414{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160680Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:48.414{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160679Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:48.414{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5464-6116-E605-00000000E801}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160678Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:48.415{C6197713-5464-6116-E605-00000000E801}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160677Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:48.258{C6197713-26A2-6116-1D00-00000000E801}1892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=7437DD3B54D1F17730CF8766724DFA6B,SHA256=69C997B67F7E7A6FCA3EA332C25CA817950327E6931C8B821E0C9BBFA52D78A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160676Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:48.101{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B00A19E075145EDF03F37E57149755B,SHA256=CADDCC273FA8018B5FBA47CA5D028CFC3E7407D6AABE5AEB9BC8F57E0E8CFD66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160675Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:48.023{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD29FC6F5EB43A753B9F3D0677701752,SHA256=0A50C09C9DBA4BCED521A37906BEF5A926B7F0DD29BA114203EF99FEA2A493FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214323Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:47.134{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64746-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214322Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:49.555{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56DBC75C969E1D1123CB51EF3BD6DB1A,SHA256=424A87B893D5F55B182247E4D0B0F19D0EB54BB5E2543F43B080425C48F6DE72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160722Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.773{C6197713-5465-6116-E805-00000000E801}2656344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160721Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.601{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5465-6116-E805-00000000E801}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160720Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.601{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160719Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.601{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160718Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.601{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160717Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.601{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160716Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.601{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160715Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.601{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160714Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.601{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160713Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.601{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160712Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.601{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160711Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.601{C6197713-26A0-6116-0500-00000000E801}412428C:\Windows\system32\csrss.exe{C6197713-5465-6116-E805-00000000E801}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160710Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.601{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5465-6116-E805-00000000E801}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160709Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.602{C6197713-5465-6116-E805-00000000E801}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000160708Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:47.906{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52098-false10.0.1.12-8089- 23542300x8000000000000000160707Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.414{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB05BEBCA2BF80B94E520FA408F48B01,SHA256=6B0B9B8180B3B5C8552ED17841F005F0694E28B6A65A8E9C848BB9E52713164A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160706Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.320{C6197713-5465-6116-E705-00000000E801}33643960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160705Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.086{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5465-6116-E705-00000000E801}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160704Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.086{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160703Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.086{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160702Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.086{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160701Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.086{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160700Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.086{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160699Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.086{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160698Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.086{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160697Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.086{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160696Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.086{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-5465-6116-E705-00000000E801}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160695Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.086{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160694Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.086{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5465-6116-E705-00000000E801}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160693Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.086{C6197713-5465-6116-E705-00000000E801}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160692Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.023{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2575586B7AB7C043F28E19E320EB59F7,SHA256=09C4E051A8214F224590A7E9881797FFEA1090CFE5A90729544B85A522753620,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214324Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:50.608{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54742C616E860580EE619227F23405C7,SHA256=17584F34CC4D771BBA9989FA0FA01CB9DB14D578D319326EC3CB6AB3D312F923,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160737Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:50.807{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A92EDA364EF22E9BABB2FB50B9B15BFB,SHA256=6B57E26167FCC6D6D4092D8FC870A33A1A8216F61AA9C9F2FAD262EEF7D33432,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160736Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:50.151{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5466-6116-E905-00000000E801}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160735Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:50.151{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160734Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:50.151{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160733Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:50.151{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160732Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:50.151{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160731Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:50.151{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160730Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:50.151{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160729Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:50.151{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160728Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:50.151{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160727Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:50.151{C6197713-26A0-6116-0500-00000000E801}412428C:\Windows\system32\csrss.exe{C6197713-5466-6116-E905-00000000E801}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160726Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:50.151{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160725Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:50.151{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5466-6116-E905-00000000E801}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160724Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:50.153{C6197713-5466-6116-E905-00000000E801}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160723Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:50.151{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ECF224D94D4320ED2DFD196CB5B189C,SHA256=F7C17A533D0E606CFC6C3421C93D62E71EBAF63E45EBA329E6B24EE9CFE80FCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214325Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:51.653{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=198332660FECB2C3A05DDF776B403187,SHA256=AC2C06236DB04AE549009164753398C8960EDA57ECF2716D228C697E39E8BC61,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160739Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:49.705{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52099-false10.0.1.12-8000- 23542300x8000000000000000160738Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:51.372{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=234EA363F496BA149C32FDED42D50540,SHA256=303AA12EF8A2F5EBC6EBE7C0F5B6CD67F1DE134BF821EA75252CA17AF4D65682,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214326Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:52.723{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=510CA1FB30F11BC7B8C15F99DBBBB9E9,SHA256=12CA99D19056092C3816710AC61228882C36DCAA440DE5025B02B355B9D54D6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160740Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:52.372{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD48D0C7D64E94B81E28233B1E3A0F2C,SHA256=C554C0F7D59FC60088CF97FC6B93804136AAD5426B346990B1B150749A1297F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214327Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:53.737{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2F0418676771B14390E7EDEBFB319FD,SHA256=AAB187282DA107E4969D0A30B9D56CAB736516C40F0B148E1300FCF73F8B9BEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160741Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:53.387{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=111FF0D84A6BBD13218A341FF0363C0E,SHA256=FA39A8C600E19E24EB0769663093254B0A1FA3DBD9444BFA3BC95E9E4961C2E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214329Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:52.162{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64747-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214328Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:54.770{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C1499224B006855913C7F2A3F602619,SHA256=D12947360BAC50B8D4423EA08ADCA2E7498F1D2045B98EAA8C1C7A9C1A71BAC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160742Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:54.387{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE94B668080A6BBEF4719B89AAD26748,SHA256=D6A05F3789024822A05E4F822AFC6A270CBB705048C7BC98049B53D7BA4BB3FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214330Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:55.788{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A40F28AD8FA89C272BB08C48FD05B282,SHA256=E7F670C0B8B455C0E8DBF3004EF42447B0108BE7FC9FDB5CE13FFAE95BE06AC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160743Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:55.387{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4F1EDD30A6FDBF44D99642D0CD0984A,SHA256=F71ED24DF48B888532EE7381FEC319F71841C678B3A838EE08FA77A5E8B93FD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214331Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:56.790{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5222765D73B3A4B2AA8B658B71982D65,SHA256=27A6C18412E2FF6439280AD62D85D5296400ECD04C3C1D9103D95D41C4B7F609,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160745Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:54.926{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52100-false10.0.1.12-8000- 23542300x8000000000000000160744Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:56.387{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34A25FF4864C13BEDA6DAC95DB931116,SHA256=7F134D6711F838065EB75A9A487348EF5A5121E7E0EEA507158467A1F5DD4C73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160746Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:57.387{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8C15808EC295FD4E216880947EF0F69,SHA256=0AF9CBF51CC992969F281CD6483FC8143D3A5DB3A5BC2DBD0B8F3DF4F70FC254,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214332Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:57.805{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EAE1CC214F683852520FF9E50644B43,SHA256=1C77111C69BADDAFD1EDB006BC0119790EA3B52A84A7B8EA0A20CF9224921D7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214333Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:58.821{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6D21CEBBA774D7E77D9064AE70BF851,SHA256=C2AA0FC807DFD766406B75DFBB12EC62AA7AA3ACD1782784CE4F333E8D4E8882,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160747Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:58.403{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E3247AE8FD7512A5DAEBE7A99A6C64F,SHA256=64FCDAA91F3EDC6F89DE17F651461FAAF94CB407DF176615AFDBCC2808B96F19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214342Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:59.836{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FF900DD9BBC330A22BEE4EFF976C19B,SHA256=9B0C419EA4145B39A6F4921ACDFE635AD340BA84063A8E7EE6117EF52BEDD3D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160748Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:15:59.497{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC83CE776D206DAA7F89EAEF4ABA343A,SHA256=C2F345D320C670A58277899864FA69CCD89B2FC81BDBD7BBB6595394AA81C5FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214341Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:59.736{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-546F-6116-EE06-00000000E701}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214340Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:59.736{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214339Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:59.736{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214338Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:59.736{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214337Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:59.736{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214336Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:59.736{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-546F-6116-EE06-00000000E701}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214335Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:59.736{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-546F-6116-EE06-00000000E701}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214334Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:59.738{079FE16A-546F-6116-EE06-00000000E701}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214355Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:00.846{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BA7DE9033BD05CB9BB6B780AA01B7C7,SHA256=A056D7C3FC6B22E5EF41ED279FFBA56B7645F11582BF6A589ED73EC31B43017A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160749Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:00.512{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B42C4FF55C70052BA42549C12344F57,SHA256=803D5566949971A3DB1D7D7A39BD4252BBAE09552866BC82D20635561645B20D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214354Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:00.748{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=672168D36C509B367196C344760D5F9B,SHA256=53997CA7E6BC234E39F3248C7F9C49A0754DE8610B20041E3CE95205616D6832,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214353Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:00.746{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=538B5AD62DF83C864A7C77AFC5DAC0E3,SHA256=AAFDF6C4CE4C3628D1A6465DD6ABC92FFBF70B66F9189D7DC26AD3938BD779E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214352Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:00.608{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5470-6116-EF06-00000000E701}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214351Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:00.608{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214350Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:00.608{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214349Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:00.608{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-5470-6116-EF06-00000000E701}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214348Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:00.608{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214347Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:00.608{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214346Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:00.608{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5470-6116-EF06-00000000E701}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214345Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:00.610{079FE16A-5470-6116-EF06-00000000E701}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000214344Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:00.138{079FE16A-546F-6116-EE06-00000000E701}52604896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000214343Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:15:57.230{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64748-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160750Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:01.559{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EE2A4CDE4C28D28D6C7F669464A69D6,SHA256=2934C87058F3BEA23588B0FE97EA7605EEC5CE14E362616981E39D4938C1D375,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214364Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:01.861{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4301F62B6D90F4554615375D2E5A395D,SHA256=DE5E2D5FA7EA0A3F63B746660A44191D0C15965437E913120C3818F2E62354FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214363Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:01.477{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5471-6116-F006-00000000E701}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214362Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:01.477{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214361Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:01.477{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214360Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:01.477{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214359Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:01.477{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214358Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:01.477{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-5471-6116-F006-00000000E701}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214357Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:01.477{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5471-6116-F006-00000000E701}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214356Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:01.479{079FE16A-5471-6116-F006-00000000E701}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000160752Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:00.723{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52101-false10.0.1.12-8000- 23542300x8000000000000000160751Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:02.575{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CC713F49F7CAF7E0268C87E6DFA6783,SHA256=2C5EF9DB76F0E33C6DE9EE6C385DEF7BB37ED98250528FC03DA536FD536F31CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214366Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:02.876{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C24050DAD5D626A537F9CFC423C2428E,SHA256=F58BF3C3D8A566400F0BCCF7A91523879359A6DE53218B8C93FC7A92157550FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214365Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:02.507{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=672168D36C509B367196C344760D5F9B,SHA256=53997CA7E6BC234E39F3248C7F9C49A0754DE8610B20041E3CE95205616D6832,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214375Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:03.907{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CEBF0E033D73AC3714F67D708B7696C,SHA256=A74328316DF779D27CA2C02651D66F9CFA054EF4286AA3F88B42046EE0329944,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160753Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:03.575{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F72ABBF83C8D5825523ADDB6F8C375AC,SHA256=EE3E72F6D6B4D1C7FF44039C17E85384B3B1A70403DD43C553DDE4AFA891F050,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214374Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:03.791{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5473-6116-F106-00000000E701}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214373Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:03.791{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214372Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:03.791{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214371Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:03.791{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214370Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:03.791{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-5473-6116-F106-00000000E701}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214369Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:03.791{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214368Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:03.791{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5473-6116-F106-00000000E701}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214367Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:03.792{079FE16A-5473-6116-F106-00000000E701}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000214387Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:04.974{079FE16A-5474-6116-F206-00000000E701}71244428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000214386Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:04.921{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AF3955AE416364637FF409C2A293675,SHA256=E419F36590D34E9DC9D62BC11E526E4A0F31D74505250D247AD726AC79DD4728,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160754Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:04.637{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B71F339261F81A497A0F36C746B10FB7,SHA256=3D58B8F91707D60E1105E9D196342A0315DC538BD8959F24E66658D4B13D973C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214385Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:04.674{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94B5FD848253B503425D84444598299F,SHA256=3088031FD9501C9732C95B9791592667745ACF6D94AE80AD2B0FF9D61568A407,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214384Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:04.674{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5474-6116-F206-00000000E701}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214383Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:04.674{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214382Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:04.674{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214381Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:04.674{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214380Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:04.674{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214379Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:04.674{079FE16A-269F-6116-0500-00000000E701}412428C:\Windows\system32\csrss.exe{079FE16A-5474-6116-F206-00000000E701}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214378Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:04.674{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5474-6116-F206-00000000E701}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214377Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:04.676{079FE16A-5474-6116-F206-00000000E701}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000214376Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:04.122{079FE16A-5473-6116-F106-00000000E701}19923924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214408Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:05.974{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5475-6116-F406-00000000E701}4912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214407Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:05.974{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214406Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:05.974{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214405Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:05.974{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214404Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:05.974{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214403Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:05.974{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-5475-6116-F406-00000000E701}4912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214402Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:05.974{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5475-6116-F406-00000000E701}4912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214401Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:05.975{079FE16A-5475-6116-F406-00000000E701}4912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214400Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:05.942{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4ED098B6E1AFB7EF511A150877E165E,SHA256=6675FC1FAC41F970278382309A2DF04C6936FEC09F85C71E2DB2C4F28C53EEF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160755Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:05.637{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57365629E0E8B655D34582D0271A1F9A,SHA256=12164F848DD1C3070D20B1D76520233C1752EA06C5270173BC899405B279FE37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214399Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:05.689{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B7C3972D7AAD6CE2F77ADF1D011FDA42,SHA256=30AF15B7AA2482AEDB12C4371566077934FEC868C0CC95CB99129721A4DDAEDD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214398Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:05.543{079FE16A-5475-6116-F306-00000000E701}68205588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214397Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:05.332{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5475-6116-F306-00000000E701}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214396Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:05.327{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214395Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:05.327{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214394Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:05.327{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214393Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:05.327{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-5475-6116-F306-00000000E701}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214392Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:05.327{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214391Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:05.326{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5475-6116-F306-00000000E701}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214390Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:05.325{079FE16A-5475-6116-F306-00000000E701}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000214389Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:02.785{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local64749-true0:0:0:0:0:0:0:1win-dc-414.attackrange.local389ldap 354300x8000000000000000214388Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:02.785{079FE16A-26AF-6116-2900-00000000E701}2980C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local64749-true0:0:0:0:0:0:0:1win-dc-414.attackrange.local389ldap 23542300x8000000000000000214411Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:06.974{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3DA156EB4A1CAEEF2E6C551EBDD80B1E,SHA256=3FC22B68A9073411BD8B820C72B95415856378E2A4EA73F9C581517965462C22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214410Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:06.959{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB21F82D63279C8476472A2518D29B1C,SHA256=5BF2D4AD2F55EA3D2FEED724C67B95C2D2A7397E685B6EA9D927E8CF90192C4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160756Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:06.637{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FD9C54262ABB68C810BFDB2EEFA9251,SHA256=8059C7596E36EBED6DF038BC490C895C9EED03FE9B39CDC289F7F8794CAB23B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214409Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:03.245{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64750-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214412Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:07.973{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3254CC8A723C63F025DD89E17661B529,SHA256=D2BB16439584643F77E4160E91D4FC5631C1CBFD3A8FFABE941199FB3B2F2B28,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160758Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:05.785{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52102-false10.0.1.12-8000- 23542300x8000000000000000160757Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:07.653{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA162CAB8C216D66A782A83539DB9557,SHA256=296197E24D56C5DF759F13C4B49B7DD1D100F53905613412956787001C2D0231,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214416Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:08.989{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=044BAA9C8042A2274EC866C4FEDF6553,SHA256=2146356486095A127B1968A4F45D262E547607A0F833F3F1D8B3E4864096FCE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160759Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:08.653{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB7C08A961026225CB4BEA1E77BCAD0C,SHA256=83ADDD6DD9FEA13AAB7312E2EEEED558ED84EFECC2E5A5033B5D65CF50C2DE33,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214415Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:08.105{079FE16A-2851-6116-BF00-00000000E701}46524744C:\Windows\Explorer.EXE{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8036AEE78A8)|UNKNOWN(FFFFD4A36A2A5B68)|UNKNOWN(FFFFD4A36A2A5CE7)|UNKNOWN(FFFFD4A36A2A0371)|UNKNOWN(FFFFD4A36A2A1D3A)|UNKNOWN(FFFFD4A36A29FFF6)|UNKNOWN(FFFFF8036ABFF103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000214414Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:08.105{079FE16A-2851-6116-BF00-00000000E701}46524744C:\Windows\Explorer.EXE{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8036AEE78A8)|UNKNOWN(FFFFD4A36A2A5B68)|UNKNOWN(FFFFD4A36A2A5CE7)|UNKNOWN(FFFFD4A36A2A0371)|UNKNOWN(FFFFD4A36A2A1D3A)|UNKNOWN(FFFFD4A36A29FFF6)|UNKNOWN(FFFFF8036ABFF103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000214413Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:08.105{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFb32321.TMPMD5=EDE14DC2DA8B62397B99A720E8551D81,SHA256=8959FFAFDBAF3F9DAF8768C11BE6F82CFC93AA32A873EE989535285EE9E5A694,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214418Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:09.989{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C00265A7AB022EEAEA374E5608E8F8C1,SHA256=C9E8AD4BE51AC63083B1C58536D891D953A3B6C5921566E1EB87221A715B478A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160761Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:08.573{C6197713-26A1-6116-0F00-00000000E801}920C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse118.69.82.69-58340-false10.0.1.15win-host-867.attackrange.local3389ms-wbt-server 23542300x8000000000000000160760Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:09.653{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=943D5C31E06A5106248007C600EF580B,SHA256=1D61596BCA793F0D60F7E4029E314139B20915C13313CB508946CDE895F1CA37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214417Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:09.057{079FE16A-26A2-6116-0D00-00000000E701}8921116C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2600-00000000E701}2928C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000160762Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:10.668{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBF1CD48788B7E47FFC6565561E2AA57,SHA256=FD2C1D7B1BD0451BCDF4E18E95F76299261C96010E8F70D6C2789BAF4D751526,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214419Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:08.010{079FE16A-26A2-6116-0F00-00000000E701}292C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse118.69.82.69-58327-false10.0.1.14win-dc-414.attackrange.local3389ms-wbt-server 23542300x8000000000000000160763Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:11.684{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05F53A0F5EFCD052DAA77EFB3B6F8ED7,SHA256=999A87B2906FAAC48708B5DBA0F406AA2C9DC0896AB9DA3F4CEC76737B31EDB1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214421Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:08.344{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64751-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214420Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:11.038{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=373C67E3EE5752D901464871013E4D1B,SHA256=C6B652B144EB0D7520FEF52B444EC2164D931590792C5ECEA9D6358E7C76A48E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160764Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:12.684{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38D953ABB2D08C43B484600A88BF8AEF,SHA256=CE1676DBDA476879810D9A6B18507C4614B3B8BD99D0C9048B3DE5F819B4E1D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214422Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:12.138{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FB16A952EE827147E59A290752AB361,SHA256=CDC493F05FB4B9A819DABFD7C7B964AF78F2104C0BBCACA3B5495A8AD80CAEBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160765Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:13.684{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DF329B5DA3C6B4458364D5AFBA9185F,SHA256=446D997E9320B5B907C832588895B6A8BDB723228240C2C414AEAA59A94482B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214423Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:13.155{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B9A7FA1007908C70E39530FFBF1710E,SHA256=3B2DE49EE52F921B94CE21F3FAE989B5597286B69DEAC4B4BE6D287452FA3643,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160767Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:14.731{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C677D22C9AE884AA998BCA969A80C0D0,SHA256=46B797B8C0DEE1865C68AF4E201714A16E37A0BE153D0DDE575CF33C0C4881AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214424Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:14.170{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=387C340DFE9587D10A9F7F2CB732B7B2,SHA256=5DD5CE386AF9535D362DF3C4FFA6A9D9E00DB791098BC7752BB893924791D516,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160766Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:11.707{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52103-false10.0.1.12-8000- 23542300x8000000000000000160769Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:15.731{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBCDEB9CB19BE958EB71FE8C01B833DD,SHA256=007A1360F64E421B987C9B7FE174752D67332F2F3521CE5F7F7430E07167F1E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214426Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:12.548{079FE16A-26A2-6116-0F00-00000000E701}292C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse34.222.193.200ec2-34-222-193-200.us-west-2.compute.amazonaws.com59416-false10.0.1.14win-dc-414.attackrange.local3389ms-wbt-server 23542300x8000000000000000214425Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:15.185{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73FBC0F2FAA63C27840F188F9751220F,SHA256=9445D77884E3147A991D3E3039162CF9A491C3CB05F5DC3D0B7570C7C2F16208,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160768Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:13.097{C6197713-26A1-6116-0F00-00000000E801}920C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse34.222.193.200ec2-34-222-193-200.us-west-2.compute.amazonaws.com59418-false10.0.1.15win-host-867.attackrange.local3389ms-wbt-server 23542300x8000000000000000160772Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:16.856{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=967533369FD0A01BFD70F4D8BCBCE776,SHA256=011BBE2D225705093E062199D716FA92BAC78315B4554880C55F842A73DFD452,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160771Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:16.856{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=386EA7DD4735C4A6AEC5F42515534E8C,SHA256=9AEE888DD98588674E2FA82C69CDA5C6194DF5C4C3FE7085752462D589E27BB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160770Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:16.778{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D039A18E40AE159C66392DD9DFD5D86C,SHA256=E25FA8FE42893175C8373F935899623591566AB80AFCE371163CD48E610CF187,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214430Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:16.852{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7BDD4EB77D0822182B4F0D1D3F043644,SHA256=C7E68B4C55CE6D020F64FF75985916381DCEAF4BB6618BC4AB041612D3ADDA83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214429Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:16.852{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=971EA32AE60358E0270AD9444DAFB368,SHA256=0E42A02A711F7E7A9C5FC75001088034FBCD6658C393ABC61A1726A726260E16,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214428Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:14.356{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64752-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214427Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:16.234{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92C878BB58663BA0D5C2358DE1771912,SHA256=ABDC8B0E4A951042D18BF41B9741602EEFE42C91BE2AF711253CBD9A0C660529,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160773Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:17.778{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7B61CB9BEEA6A72F273353CA15CDBDF,SHA256=FBEC61DA6ACFB8FBAE1952DE69413E332D0662835913FD58658FC18EEB93C6BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214433Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:14.979{079FE16A-269C-6116-0100-00000000E701}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64753-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local445microsoft-ds 354300x8000000000000000214432Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:14.979{079FE16A-269C-6116-0100-00000000E701}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64753-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local445microsoft-ds 23542300x8000000000000000214431Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:17.252{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=743FA78B0AAB26B692C7ECFF164D89E6,SHA256=C5BC04C9C803C3F33B0163F4F208EC27D98312C6E53EA065945D96DA24BDBBFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160774Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:18.778{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2039C0DE07126332B5702034FA238C14,SHA256=397849679EBA7D4CAABEFCA00479B336886F413AEF8505354609E7E11EBFB7CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214434Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:18.267{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BBC064F282BD3F67028857C11B83C02,SHA256=436463372757CF5C1230B0C8D6746E9DBD5DFFA30341A6A7E564D92F0CB8E867,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160776Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:19.778{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A13AE135F8FB50F5942D7937C9A93B3,SHA256=A7033FBDBE9EFD404E0A586E4BE54A07822C143D3EA842109414E0FD1DF3FF63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214435Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:19.297{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B895B94CE9E16EBD171922C98C86DEDB,SHA256=FB29B88CCAD9BFB3A45441C78E1307F571B4DF7447A33FC6825A85B4AE68014B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160775Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:16.801{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52104-false10.0.1.12-8000- 23542300x8000000000000000160777Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:20.825{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBA06893B34CDCE78E40092D197FD414,SHA256=E080354A85C9803E7FC7FCECE3AD4D982311D10CD6FDFDDA364C1871752B2562,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214436Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:20.312{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BDE1023CBF098CCA6CC118C8107B1DE,SHA256=D983F86A877D783EDF561B5F39157CC829F0310C1DC0C864902DE9739BCC03FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160778Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:21.825{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C2DFC06F59B3C8CFF0CA9E102EEE369,SHA256=23D8C9897037062BE044D01E739F8C0AC5AF1E8EDCBA0FF8AA323824E1CB5044,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214438Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:21.349{079FE16A-26A0-6116-0B00-00000000E701}6285044C:\Windows\system32\lsass.exe{079FE16A-269C-6116-0100-00000000E701}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000214437Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:21.330{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB336B259710A8F074645AAD116E0AB1,SHA256=770605CE9DA92A809691A6258B0A2F8D7EFE4703DA2BFA4EC118B587F6D552E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160779Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:22.825{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2A8C6B54AEADE8E3F767B4C4EEC732E,SHA256=B02E8C80D134018CC39EB3221D9B1C91747B399191C550407F10019D1AD18DF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214446Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:20.407{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-414.attackrange.local64756-false10.0.1.14win-dc-414.attackrange.local389ldap 354300x8000000000000000214445Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:20.407{079FE16A-26A2-6116-1600-00000000E701}1300C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64756-false10.0.1.14win-dc-414.attackrange.local389ldap 354300x8000000000000000214444Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:20.377{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64755-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local389ldap 354300x8000000000000000214443Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:20.377{079FE16A-26A2-6116-1600-00000000E701}1300C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64755-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local389ldap 354300x8000000000000000214442Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:20.351{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64754-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214441Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:22.348{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A926997A760E4217DDAE4D6304FCDD5,SHA256=9695A6C69BDEA786D605CECA22A4909AEAC5C33640BE79B1531AD6B7B07124C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214440Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:22.333{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63795D192FADC10F68734E911C367561,SHA256=D1DA0A1BFCF751EAC4D1DDB6C5496EE21A87A2BD88D6F3CAB46A30B97261D3C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214439Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:22.333{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7BDD4EB77D0822182B4F0D1D3F043644,SHA256=C7E68B4C55CE6D020F64FF75985916381DCEAF4BB6618BC4AB041612D3ADDA83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160780Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:23.825{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78B6209047E8E99E38837D8B49F1F041,SHA256=E12097180415786D442FACCD7630300D88F78061059165C7B4EDAA07534015AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214453Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:23.397{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85215CBB6DE9B98A6C4339E17D196868,SHA256=00043D0C49D17FDB367D77BB4D5A8BCEBD110BF24BA6066C952DBA0883CF2552,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214452Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:23.079{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=C507FE8870E570FCCE47B55F155BDC78,SHA256=E51A39326A4A0752E36D1A3AE140CFF7662CF6C9587DFF4375E2EAC14E6FD809,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214451Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:23.079{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=FE7427AC693FF63018FDD98CDD450D89,SHA256=7D5B872113111F03B1C378FD363ADD58D1CA0DDCD4B7EF1746987971BD402BDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214450Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:23.079{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=2E6AE421C76393DE6BDC07785A247D02,SHA256=0FAE99E526F9259A568267ACA423CAEF933D3338A4FE88BD4EDBC466CC3172EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214449Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:23.079{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=061E85ADB8771FC1530A5F71D7953954,SHA256=C132E083196500FB1D5F1CE9F324F957E09D46D2284E02D86D93BB34DA937703,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214448Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:23.079{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=ECCB039EA40D4ABAA444651F8212EBDF,SHA256=531D1FF6D3D75FD61539F306DCDDBBFF8A992C91ADACC0B94CC46EC57F13B84A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214447Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:23.079{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=86AA9920D9B38D7690AFAE78CA7DFCEB,SHA256=38C35E0E55D1D6898F4FFDC8D2211190520DDA3DBF6F03CDD433B78955E45F30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160782Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:24.872{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C785CF64F9D05A875D136C130D1F870,SHA256=0B30BC3EB7FCB6F04C294190C4BD6A60887ABFD3D284009DB6C00FDA707D58ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214454Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:24.430{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D8B3AB6D66C2168E125AE2E1B16AF38,SHA256=DB16D72BB35A3897AF0CAECCCF703AE9930031E77BC31F6A693F6B092FA60B5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160781Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:22.723{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52105-false10.0.1.12-8000- 23542300x8000000000000000160783Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:25.903{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17A0E2F8BCC35A79A0E604E4DC4983E8,SHA256=E9A5BDF0A114E7FE911FFCE6B9CE9827260169C59DBE8A73DBDD225D30C71F4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214455Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:25.463{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF4F9A3877863FA3819CE4B358C17736,SHA256=365DC763EAA06CD8BA6E253D85EE505E6482DB2CE4E33C924433C9CADECCE9DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160784Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:26.903{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57AA6F2A339BF699C090275DF114B1F9,SHA256=92FA9E6B2F7A91D2FE084A7464BDDF5BD830274B33BA437FDC4072B9223155D9,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000214459Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:16:26.609{079FE16A-26AF-6116-2500-00000000E701}2836C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\80A749DD-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_80A749DD-0000-0000-0000-100000000000.XML 13241300x8000000000000000214458Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:16:26.594{079FE16A-26AF-6116-2500-00000000E701}2836C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\44A90C05-1D96-49A2-A5E6-242C78701B1A\Config SourceDWORD (0x00000001) 13241300x8000000000000000214457Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:16:26.594{079FE16A-26AF-6116-2500-00000000E701}2836C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\44A90C05-1D96-49A2-A5E6-242C78701B1A\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_44A90C05-1D96-49A2-A5E6-242C78701B1A.XML 23542300x8000000000000000214456Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:26.478{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89300D6B104103D857F184F4EEBD83A8,SHA256=635E0ADC2992537DADF1FE67AB74E220F8FAB031A1BE2B495C125B55A91702AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160785Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:27.918{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AA5D467FE471DD91F2C3E6A95C74ED8,SHA256=EBCF689D28C63070CE55581214FBA12F724EA71AA2610BB579D340E410C2DF9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214468Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:25.745{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64759-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local389ldap 354300x8000000000000000214467Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:25.745{079FE16A-26AF-6116-2500-00000000E701}2836C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64759-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local389ldap 354300x8000000000000000214466Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:25.737{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64758-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local389ldap 354300x8000000000000000214465Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:25.737{079FE16A-26AF-6116-2500-00000000E701}2836C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64758-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local389ldap 354300x8000000000000000214464Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:25.705{079FE16A-26A2-6116-0D00-00000000E701}892C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64757-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local135epmap 354300x8000000000000000214463Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:25.705{079FE16A-26AF-6116-2500-00000000E701}2836C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64757-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local135epmap 23542300x8000000000000000214462Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:27.631{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA8B29BBD70A7E9994D65E99992C4977,SHA256=53300D6FC9155984B41732E40EAA7A29929499D0E74EE95819648C8D069992F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214461Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:27.630{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63795D192FADC10F68734E911C367561,SHA256=D1DA0A1BFCF751EAC4D1DDB6C5496EE21A87A2BD88D6F3CAB46A30B97261D3C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214460Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:27.493{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7159E248D0F4C3313F134FCEDABE4722,SHA256=2A7200E272A082DB3A2D7829F8F60846F43B912572B836D6A32C7D1707B02ACF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160786Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:28.918{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=346FBD2A04CDF542616FDC199A0C49F7,SHA256=B74696CC00376B50BE1B06311A4F576323E272AE3593EF7FA8B2B90592A6A82F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214494Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:26.280{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local62408- 354300x8000000000000000214493Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:26.278{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-414.attackrange.local53domainfalse10.0.1.14win-dc-414.attackrange.local63203- 354300x8000000000000000214492Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:26.275{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-414.attackrange.local53domainfalse10.0.1.14win-dc-414.attackrange.local61279- 354300x8000000000000000214491Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:26.274{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local54323- 354300x8000000000000000214490Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:26.273{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-414.attackrange.local53domainfalse10.0.1.14win-dc-414.attackrange.local63938- 354300x8000000000000000214489Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:26.269{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-414.attackrange.local53domainfalse10.0.1.14win-dc-414.attackrange.local61053- 354300x8000000000000000214488Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:26.268{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local64536- 354300x8000000000000000214487Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:26.266{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-414.attackrange.local53domainfalse10.0.1.14win-dc-414.attackrange.local61891- 354300x8000000000000000214486Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:26.265{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local54389- 354300x8000000000000000214485Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:26.264{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local61253- 354300x8000000000000000214484Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:26.264{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local51670- 354300x8000000000000000214483Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:26.261{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local52676- 23542300x8000000000000000214482Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:28.561{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=243C3115C3DE8B3E818C3F11BF2934C7,SHA256=AA4A1781DB29246C93B332FF15B677BD0869F7C80DC5A9CC62665E5D01F51D63,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214481Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:26.258{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-414.attackrange.local53domainfalse10.0.1.14win-dc-414.attackrange.local64294- 354300x8000000000000000214480Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:26.254{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-414.attackrange.local53domainfalse10.0.1.14win-dc-414.attackrange.local59431- 354300x8000000000000000214479Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:26.253{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local61249- 354300x8000000000000000214478Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:26.252{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-414.attackrange.local53domainfalse10.0.1.14win-dc-414.attackrange.local52214- 354300x8000000000000000214477Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:26.248{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-414.attackrange.local53domainfalse10.0.1.14win-dc-414.attackrange.local61237- 354300x8000000000000000214476Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:26.248{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-414.attackrange.local61237-false10.0.1.14win-dc-414.attackrange.local53domain 354300x8000000000000000214475Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:26.246{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local51368- 354300x8000000000000000214474Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:26.246{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local51368-true0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domain 354300x8000000000000000214473Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:26.236{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64762-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local49666- 354300x8000000000000000214472Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:26.236{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64762-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local49666- 354300x8000000000000000214471Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:26.235{079FE16A-26A2-6116-0D00-00000000E701}892C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64761-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local135epmap 354300x8000000000000000214470Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:26.235{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64761-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local135epmap 354300x8000000000000000214469Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:26.187{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64760-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160788Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:29.934{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14FCF1F764F54C5C55E4F8B468C02B65,SHA256=11EA8DCD546CBE64B38E1B76FDABCA9E48B2229C1F57B259A10B8002215601F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214497Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:26.285{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-414.attackrange.local53domainfalse10.0.1.14win-dc-414.attackrange.local50997- 354300x8000000000000000214496Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:26.283{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local63024- 23542300x8000000000000000214495Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:29.576{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E73EF3FE6399CC78D236A817BD9B2EF,SHA256=B9AAAB92CC0A071CB6100A55192DC391DC90C3B8CFD05B386C43E92CC6A276E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160787Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:27.911{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52106-false10.0.1.12-8000- 23542300x8000000000000000160790Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:30.934{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B54CC89A2B3A2AB3E4F0C1627FE54A53,SHA256=A6BAF93E23B05CE3E18485B47CAC11011BE3E41E5B97BB0C33D464FE800DC6F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160789Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:30.372{C6197713-26A0-6116-0B00-00000000E801}6281420C:\Windows\system32\lsass.exe{C6197713-269E-6116-0100-00000000E801}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000214534Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214533Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214532Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214531Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214530Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214529Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214528Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214527Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214526Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214525Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214524Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214523Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214522Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214521Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214520Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214519Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214518Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214517Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214516Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214515Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214514Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214513Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214512Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214511Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214510Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214509Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214508Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214507Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214506Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214505Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214504Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214503Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214502Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2600-00000000E701}2928C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214501Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2600-00000000E701}2928C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214500Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C100-00000000E701}4956C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214499Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C100-00000000E701}4956C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214498Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:30.060{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C100-00000000E701}4956C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000160792Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:31.934{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25C803CCADBC67BFFDE7448E1E4513AC,SHA256=466153A209AE580EF38E9122348F852700108406457B5BF5E0D26459F3BBF7F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160791Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:29.710{C6197713-26A1-6116-0F00-00000000E801}920C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse34.222.193.200ec2-34-222-193-200.us-west-2.compute.amazonaws.com52657-false10.0.1.15win-host-867.attackrange.local3389ms-wbt-server 23542300x8000000000000000214549Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:31.393{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA8B29BBD70A7E9994D65E99992C4977,SHA256=53300D6FC9155984B41732E40EAA7A29929499D0E74EE95819648C8D069992F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214548Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:29.305{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-414.attackrange.local53domainfalse10.0.1.14win-dc-414.attackrange.local62517- 354300x8000000000000000214547Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:29.303{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53546- 354300x8000000000000000214546Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:29.300{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local63009- 354300x8000000000000000214545Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:29.298{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-414.attackrange.local53domainfalse10.0.1.14win-dc-414.attackrange.local63349- 354300x8000000000000000214544Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:29.293{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-414.attackrange.local53domainfalse10.0.1.14win-dc-414.attackrange.local50309- 354300x8000000000000000214543Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:29.290{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-414.attackrange.local53domainfalse10.0.1.14win-dc-414.attackrange.local60894- 354300x8000000000000000214542Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:29.286{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local60866- 354300x8000000000000000214541Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:29.280{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-414.attackrange.local53domainfalse10.0.1.14win-dc-414.attackrange.local62540- 354300x8000000000000000214540Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:29.278{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local54238- 354300x8000000000000000214539Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:29.275{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-414.attackrange.local53domainfalse10.0.1.14win-dc-414.attackrange.local51029- 354300x8000000000000000214538Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:29.273{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local63759- 354300x8000000000000000214537Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:29.271{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-414.attackrange.local53domainfalse10.0.1.14win-dc-414.attackrange.local52461- 354300x8000000000000000214536Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:29.153{079FE16A-26A2-6116-0F00-00000000E701}292C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse34.222.193.200ec2-34-222-193-200.us-west-2.compute.amazonaws.com52655-false10.0.1.14win-dc-414.attackrange.local3389ms-wbt-server 23542300x8000000000000000214535Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:31.026{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=252FF61C90955A96A184B3FA067D7F06,SHA256=17E1622F28FFDC88D4B9CCA3494C27E55EBCC77E862A5EF359023C08F40B9259,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160796Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:32.965{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B1C86147A1BA82DC560503B7FFA9B02,SHA256=A170FC181D4F21BA07B7116F000CABBFAC86C68D8A85E56F01A2B10E7851E2EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214558Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:32.846{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90E332BC11173536868800C9DEEE80E1,SHA256=49D615FBC57122FAABC96E278AD5D043C9E3B4ADADB0AA9AF88B9E6F3B52070E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214557Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:29.493{079FE16A-269C-6116-0100-00000000E701}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-86752107-false10.0.1.14win-dc-414.attackrange.local445microsoft-ds 354300x8000000000000000214556Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:29.320{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local51864- 354300x8000000000000000214555Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:29.318{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-414.attackrange.local53domainfalse10.0.1.14win-dc-414.attackrange.local54213- 354300x8000000000000000214554Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:29.316{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-414.attackrange.local53domainfalse10.0.1.14win-dc-414.attackrange.local61390- 354300x8000000000000000214553Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:29.315{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local63332- 354300x8000000000000000214552Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:29.313{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-414.attackrange.local53domainfalse10.0.1.14win-dc-414.attackrange.local54360- 354300x8000000000000000214551Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:29.309{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local50704- 23542300x8000000000000000214550Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:32.077{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74B4D818ADCBDD3045B12B6EA650AEDA,SHA256=1A773F0319A74D86DCC1033D360E47A7462C88A090E4EB3B304407CF3233C9CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160795Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:32.856{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FE7086838E96CC99A75A968516E4177,SHA256=A3139289F4352807F8C5546B2F49190259215B51D1F51DDD1ECA04E6D91739D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160794Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:32.856{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=967533369FD0A01BFD70F4D8BCBCE776,SHA256=011BBE2D225705093E062199D716FA92BAC78315B4554880C55F842A73DFD452,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160793Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:30.040{C6197713-269E-6116-0100-00000000E801}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52107-false10.0.1.14-445microsoft-ds 23542300x8000000000000000160797Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:33.997{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDAAA405A70F1651BA8DC505B958A2E2,SHA256=9462891CCF2F920FAB5C0B40E16F0C82B57F654420C20E44173263C41B79AEA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214559Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:33.130{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4A5CD71E722488FEDBDFE6946E4C7AF,SHA256=9B4A23DD4629C884DDB2D1683C37EA4D5DD22933BAF5141964A19016B968B34A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214563Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:32.036{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local49929- 354300x8000000000000000214562Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:32.033{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local64399- 354300x8000000000000000214561Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:31.201{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64763-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214560Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:34.179{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13A1B1E9BECA5BCD6BED9EF24A83800F,SHA256=55BF9A654AEA27BC407016808C33BEF5FA607D0F71C0AD220BF106D259B12D20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160799Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:35.293{C6197713-26A1-6116-1000-00000000E801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=D6031A44DB4AA95903FF777411FA291C,SHA256=8F913C95C3564A1A222AE24CDDBCEB980C92BFBEB3FE89F5C1C75D71B091B32A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160798Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:35.012{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EA47A601EDCBE47B9F068E0BD1FA7EF,SHA256=9ADE9BBEE541E6AA14ACBD0CA7AB0E894D868EDAC79C3A36174719BB6AEC7386,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214564Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:35.194{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CFE9E01DD809ABA2B0A4D64F52B83F8,SHA256=8E22036419362A55D680955592CB63CE2BB1AC320E0DED25946AA25962B89884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214566Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:36.861{079FE16A-26A2-6116-1100-00000000E701}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=FD13FD94268BD72F2861B65173B66D0C,SHA256=21A82E08B14E34BF822507067223F8325C89CA429FBE96BDB8A5C36EFD983F32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214565Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:36.208{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80C3DD4B7210C4EA08571B44FBD70D5A,SHA256=525F2B7DE37023EF2CB5FAA46928841C4F3D0EAA43ACDBAD92403223E2DE88C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160801Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:33.864{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52108-false10.0.1.12-8000- 23542300x8000000000000000160800Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:36.028{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C2BA1A4268A3822B77996CCB6EFCF65,SHA256=B183B6B6CBA44CA9E10B82A6CC220D7C7DA82AFA635092D35755302CC4A2CEA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214567Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:37.227{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DDF445BD150E79D75F969F8E413BBA7,SHA256=666CAF0D84BAD57E91C47BE43BD76EFCDE75A37B4A9E92B0B997507801BE4A47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160802Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:37.028{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE0EB290EE1ECA71EA40B7BE02D58C4E,SHA256=5F9AE12E1C2ABFA44741005A9AB09BD72EA18AAEDC0832B5805FE7898D7E9FB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214570Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:36.332{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64764-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214569Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:38.707{079FE16A-26AF-6116-2700-00000000E701}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=7437DD3B54D1F17730CF8766724DFA6B,SHA256=69C997B67F7E7A6FCA3EA332C25CA817950327E6931C8B821E0C9BBFA52D78A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214568Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:38.245{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C63FA25963E4F500CE57DDDF83471C3,SHA256=0E31BE606DBAA06399B1A0E5466F055833A6EB0E791362D8E8E5A4439F4AEA2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160803Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:38.028{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DCC8176BE977D5E2A0FF51B5685152E,SHA256=884C475A16967E1AF28E1C709C05C7383D051CA6726DB7333EA74A9DC9B1EBE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214571Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:39.275{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA03EACF4030EC3529122F192E5EC06E,SHA256=8EDE5AD13F4D2B67C5434C3C48B5075E7643D6AAD414F1E227ED1C5018DBE7D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160804Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:39.028{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B13038968DEBD8CB8445D5B452331BA,SHA256=6338BBCF79F4EBA55F96C4F3F7D75FBA564C0A825BDF78F4BB0CEAE7048928A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214572Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:40.276{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D146A489658ECD2459D8F5B24AB68AB1,SHA256=ED79BB7ACE5EFF1492EB4A5E5BB52B3E3307F2DA80C9AD438311337FE7CF6C11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160805Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:40.028{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B02733BB91A54730A5302A460B9D9993,SHA256=DCB296893BF146A92FD1C352C47DBA36A7CD65CF539FF0182B16FA480A487A79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214580Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:41.962{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=8C7843B61C285F2E8420471AE78CBC84,SHA256=1CB8D078556ED31709A5613C5025B5DDFB4863D5D79A0F4E1E6D6CD604586A77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214579Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:41.962{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=0B0004989454B2C71057FA19C1C0FC04,SHA256=3907858A5A4A4FFC7B8B7E217EFE641C39552AABA47990CDB931AA236FB4EAC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214578Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:41.962{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=3494BD052C541799009342BEC45E3F76,SHA256=3907DE8C50066881CE6AF27E4E2341809C03BDD6900E8D2BA8EA9C7FD8F4C32B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214577Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:41.962{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=DEE723AE6190D61DDB278DF7EFE6ED29,SHA256=10226E27584C65B34ED5E755B7E67AEF69CB503437A68AD10392C321122DAE02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214576Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:41.962{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=F3716F79BF3E2535D9B0533F109BABA1,SHA256=12A4527549DE0C2767C2A2BD86B752A772DFBC9877098032E86889EBBDF2E2FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214575Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:41.962{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=883A09F3D599D919786EA36985FB3E30,SHA256=8778DD6A78D11385A84F1327F261AA442BCFF3E1FD213CCF4864CEFDD57F0517,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214574Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:41.277{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B88969189AE206B8E4F7E1B78B3D0D9,SHA256=5AE59EA91CD63E939A6D0C063F5A810F613230D2E572F9F3480F0FA6FDD0D203,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160807Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:39.692{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52109-false10.0.1.12-8000- 23542300x8000000000000000160806Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:41.043{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE2C49C5DF86CBEA5385EB2AEF460177,SHA256=C4151AC1C6BBA01ADFBDF3321C5931FE1BB984A85CFB3FFF59075DEC84B1FE09,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214573Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:37.816{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64765-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000214583Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:42.277{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=443F6EC3CC8D8DC8ACBD31C600A5DD2F,SHA256=4C6598D37D9180B2024E03357F56BB9A30F332A6FC21785AEF58E7BB2F14BFFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160808Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:42.059{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F958FBEE54251F49FC2B66261599993,SHA256=5B1365970AE08170DE874058552C504C3214429793C50B2C0C268FABE3DFB032,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214582Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:42.146{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CEDA6C1EEF43A8136141EBAE24BAF6F3,SHA256=AAE3E52772AF8BBBCC6507FBCBD44E657E72B78D8B00EE15D18A29E8383D414C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214581Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:42.146{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FDFD505C211DF256EAD3146513D4E12,SHA256=030AC067340E129AE07DCDA50181A75AA546D58C92A47E5F11340B38055D05A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214584Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:43.308{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A620E388147B1BBC40E0798721590EC,SHA256=6A46BA730635B7E785765F1C8BD1F650301FD35DFF8521F5B3A61C141EB129F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160809Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:43.075{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B5403891493084A85D340100ECDBCD2,SHA256=201856CC021129C4857FC3785BB11760D198DE9CB8E582823B855AD5DB6BAED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214585Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:44.308{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F966455CBD938AF8D7A78FCBFF49344,SHA256=40BDA7572F5E1F8BCAADD200012C5CA9F7F6113F410CD9E6C27D8F6112E16975,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160810Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:44.075{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=645B920D230510B90B8A5B752F1C4B1F,SHA256=315879EB2871F9E87A47D51E6B93370017044BE8C2406ABE099CA45B47CDD58F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214587Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:45.309{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7541D2B1663F809AB9ACFD47540E4597,SHA256=E343BD385DAA280AE765330CD1599829B12FCC061283D2D0AB7DE2EDC8C95E2C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160824Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:45.653{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-549D-6116-EA05-00000000E801}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160823Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:45.653{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160822Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:45.653{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160821Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:45.653{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160820Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:45.653{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160819Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:45.653{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160818Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:45.653{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160817Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:45.653{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160816Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:45.653{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160815Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:45.653{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160814Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:45.653{C6197713-26A0-6116-0500-00000000E801}412428C:\Windows\system32\csrss.exe{C6197713-549D-6116-EA05-00000000E801}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160813Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:45.653{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-549D-6116-EA05-00000000E801}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160812Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:45.653{C6197713-549D-6116-EA05-00000000E801}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160811Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:45.075{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97A4B5A70397FBD96E0A6CEF585E4045,SHA256=9FC87F5459C83B44C64AF00672B2221EC534EF99DB5A53794F2AE21992D4341D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214586Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:42.151{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64766-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214588Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:46.328{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77E89B65CB313B1487F2C29DB2B73BCC,SHA256=A27DD4F02B3C7D24CB724FA16A5A5C127A75C684A281D959E4CF796B1558F48F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160854Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.887{C6197713-549E-6116-EC05-00000000E801}33283596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000160853Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.872{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D987B8C8B962FE900E8D36C807A0C3A3,SHA256=EB01750F83EBC47603D1A0A852BDD425D4AA6CF2C3E3E1B2FFA6FB14830F1632,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160852Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.872{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FE7086838E96CC99A75A968516E4177,SHA256=A3139289F4352807F8C5546B2F49190259215B51D1F51DDD1ECA04E6D91739D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160851Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.653{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-549E-6116-EC05-00000000E801}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160850Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.653{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160849Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.653{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160848Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.653{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160847Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.653{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160846Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.653{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160845Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.653{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160844Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.653{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160843Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.653{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160842Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.653{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160841Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.653{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-549E-6116-EC05-00000000E801}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160840Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.653{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-549E-6116-EC05-00000000E801}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160839Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.654{C6197713-549E-6116-EC05-00000000E801}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000160838Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.153{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-549E-6116-EB05-00000000E801}2824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160837Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.153{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160836Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.153{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160835Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.153{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160834Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.153{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160833Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.153{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160832Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.153{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160831Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.153{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160830Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.153{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160829Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.153{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160828Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.153{C6197713-26A0-6116-0500-00000000E801}412428C:\Windows\system32\csrss.exe{C6197713-549E-6116-EB05-00000000E801}2824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160827Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.153{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-549E-6116-EB05-00000000E801}2824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160826Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.154{C6197713-549E-6116-EB05-00000000E801}2824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160825Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:46.090{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EBB3488B3B4A395628435177E515C3C,SHA256=1410327883DB1A175CBF0F1FDDADA798933D03F72F93046DF5362A72F9681AC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214589Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:47.345{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1160F62759204D257A68C2F0A22FA5AF,SHA256=303015D0BE717010A9FA2EAD3BDE8B3B80D264F309A00D8D90669BC95EDCA5BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160856Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:45.724{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52110-false10.0.1.12-8000- 23542300x8000000000000000160855Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:47.168{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=069D1D465E364491673FA3C7A7E5D31F,SHA256=692F0967A94358176B8D31B0F11E40B6286A9BDF17F0F0ABEC1C78C57798607C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214596Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:48.377{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=737D8B84C81DA42B537D7BF6392DDA7C,SHA256=346A9BA03A44B7AF877F4C68D5BAEC159D4E3063FE93AAD3E9E1F07BD22975B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160886Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.965{C6197713-54A0-6116-EE05-00000000E801}26843572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160885Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.762{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-54A0-6116-EE05-00000000E801}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160884Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.762{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160883Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.762{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160882Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.762{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160881Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.762{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160880Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.762{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160879Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.762{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160878Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.762{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160877Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.762{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160876Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.762{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160875Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.762{C6197713-26A0-6116-0500-00000000E801}412528C:\Windows\system32\csrss.exe{C6197713-54A0-6116-EE05-00000000E801}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160874Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.762{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-54A0-6116-EE05-00000000E801}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160873Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.763{C6197713-54A0-6116-EE05-00000000E801}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000160872Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.528{C6197713-54A0-6116-ED05-00000000E801}948640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000160871Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.278{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5526919415E0B403787C243C11E48537,SHA256=BB58E69924E459B50E6844DFF2178CBF76C7147C6E8B7F110A71EDB0A272C93C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160870Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.278{C6197713-26A2-6116-1D00-00000000E801}1892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=7437DD3B54D1F17730CF8766724DFA6B,SHA256=69C997B67F7E7A6FCA3EA332C25CA817950327E6931C8B821E0C9BBFA52D78A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214595Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:48.145{079FE16A-3DEE-6116-CA03-00000000E701}5736ATTACKRANGE\AdministratorC:\Temp\release\x64\x64dbg.exeC:\Temp\release\x64\db\Akagi64.exe.dd64MD5=1740DB24E17622218EAE04A91ED10F99,SHA256=62A7FD4EE533FD8D272F19E8C810F514BCCC54F3BC0BBAFE5966A863E48FB0DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214594Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:48.145{079FE16A-3DEE-6116-CA03-00000000E701}5736ATTACKRANGE\AdministratorC:\Temp\release\x64\x64dbg.exeC:\Temp\release\x64\db\Akagi64.exe.dd64MD5=D7D274F17ED5451F515F5B2A309FEEA9,SHA256=334BDD21521F9F155121731452DFCCBE4310EDE81D6CEA857066A2F91B2CAA7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214593Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:48.145{079FE16A-3DEE-6116-CA03-00000000E701}5736ATTACKRANGE\AdministratorC:\Temp\release\x64\x64dbg.exeC:\Temp\release\x64\db\Akagi64.exe.dd64.bakMD5=D7D274F17ED5451F515F5B2A309FEEA9,SHA256=334BDD21521F9F155121731452DFCCBE4310EDE81D6CEA857066A2F91B2CAA7E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000214592Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:48.145{079FE16A-3DEE-6116-CA03-00000000E701}5736C:\Temp\release\x64\x64dbg.exeC:\Temp\release\x64\db\Akagi64.exe.dd64.cmdline2021-08-13 09:42:12.129 23542300x8000000000000000214591Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:48.145{079FE16A-3DEE-6116-CA03-00000000E701}5736ATTACKRANGE\AdministratorC:\Temp\release\x64\x64dbg.exeC:\Temp\release\x64\db\Akagi64.exe.dd64.cmdlineMD5=640DE1377EA800F849AFA894E8F4640D,SHA256=605B207CCCAA04653007EA2E29D172B5EC95374AD9FBDD7BCC8C2CC01EAB2805,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214590Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:48.108{079FE16A-3DEE-6116-CA03-00000000E701}57363672C:\Temp\release\x64\x64dbg.exe{079FE16A-53B9-6116-D306-00000000E701}6636C:\Windows\explorer.exe0x1C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Temp\release\x64\TitanEngine.dll+12e1e|C:\Temp\release\x64\TitanEngine.dll+11896|C:\Temp\release\x64\TitanEngine.dll+37eb9|C:\Temp\release\x64\x64dbg.dll+64aa5|C:\Temp\release\x64\x64dbg.dll+58f0e|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160869Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.262{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-54A0-6116-ED05-00000000E801}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160868Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.262{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160867Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.262{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160866Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.262{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160865Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.262{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160864Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.262{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160863Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.262{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160862Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.262{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160861Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.262{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160860Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.262{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160859Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.262{C6197713-26A0-6116-0500-00000000E801}412428C:\Windows\system32\csrss.exe{C6197713-54A0-6116-ED05-00000000E801}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160858Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.262{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-54A0-6116-ED05-00000000E801}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160857Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:48.263{C6197713-54A0-6116-ED05-00000000E801}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214597Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:49.377{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C159416328832FF565DFFA83E0A26A1,SHA256=D61F8931B27662B2BD3CFA109F0F6EEC35C9BA943091E03B63DB93F8637E9C1F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160918Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:49.936{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-54A1-6116-F005-00000000E801}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160917Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:49.936{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160916Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:49.936{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160915Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:49.936{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160914Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:49.936{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160913Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:49.936{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160912Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:49.936{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160911Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:49.936{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160910Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:49.936{C6197713-26A0-6116-0500-00000000E801}412428C:\Windows\system32\csrss.exe{C6197713-54A1-6116-F005-00000000E801}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160909Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:49.936{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160908Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:49.936{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160907Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:49.936{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-54A1-6116-F005-00000000E801}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160906Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:49.937{C6197713-54A1-6116-F005-00000000E801}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000160905Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:47.927{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52111-false10.0.1.12-8089- 354300x8000000000000000160904Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:47.556{C6197713-269E-6116-0100-00000000E801}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.15win-host-867.attackrange.local138netbios-dgm 354300x8000000000000000160903Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:47.556{C6197713-269E-6116-0100-00000000E801}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-867.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 10341000x8000000000000000160902Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:49.497{C6197713-54A1-6116-EF05-00000000E801}420216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000160901Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:49.450{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17A95D21A967443932882352E45B1676,SHA256=B4FF323A8E882E368A77A958FBE2703D71678C1A29AFBFCE104E69561BCC3D5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160900Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:49.294{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D987B8C8B962FE900E8D36C807A0C3A3,SHA256=EB01750F83EBC47603D1A0A852BDD425D4AA6CF2C3E3E1B2FFA6FB14830F1632,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160899Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:49.262{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-54A1-6116-EF05-00000000E801}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160898Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:49.262{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160897Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:49.262{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160896Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:49.262{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160895Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:49.262{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160894Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:49.262{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160893Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:49.262{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160892Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:49.262{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160891Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:49.262{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160890Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:49.262{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160889Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:49.262{C6197713-26A0-6116-0500-00000000E801}412528C:\Windows\system32\csrss.exe{C6197713-54A1-6116-EF05-00000000E801}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160888Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:49.262{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-54A1-6116-EF05-00000000E801}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160887Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:49.263{C6197713-54A1-6116-EF05-00000000E801}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160920Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:50.981{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B3D9D6FE71ED7D88EADF33C4AC5A4A3,SHA256=82A5DB04030CF884DFE532A3A0E8E4A720AA7540DFB44073461AF6D8DF8E554F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160919Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:50.452{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30339AA3D807F495B8BD4F4A94D68C93,SHA256=B554F535F85393253D1B30517EBFA1DF9B98371C86436DA34586353EB9776810,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214599Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:50.408{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=776780BB4796C6293C673547D1C0507C,SHA256=293C910A664667AAF5DCDF12D600E57927DA46D434937FF592CA2DD69FA1353F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214598Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:47.186{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64767-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160921Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:51.465{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74D5B172A78165647E19CF071B981F7B,SHA256=26B3202801C5FBD741C530DBABCA92C8B9C3FD4DF1AAD7353AF38E67F86738D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214600Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:51.408{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0B78F6E2CEB32314CCFC8541B0DF289,SHA256=16323B1099EA02EE61EC8E329A7B74EC4E76E17F10A4E38B437295A6CAECAC67,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160923Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:50.833{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52112-false10.0.1.12-8000- 23542300x8000000000000000160922Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:52.467{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18EDE37A43D9BD76BD56A0EA57B9A94F,SHA256=F86C692B3D4846B63A9597838ACA50505D70461C7F4757C139D4C418706D2244,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214601Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:52.426{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30CB6B46412720A044AB0DC83A6A4C26,SHA256=4E33773DFC35AD18E4FC2CF34F7B24F452CAF06BC6BD73CA6F193F74B6EA9F1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160924Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:53.514{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E877F8DCF85F7BA0C60ECFC5D6FA9570,SHA256=545772A5553EE8FB218A154266C2E9D355588E7BE0637E86CDB06F6D80395FC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214602Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:53.444{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6660127D34304EF4B824B802F2A11BFE,SHA256=2385661C27A72BA8B4F898759235334EDEF6E2FAAFA2A0FA06CA10BEF1512709,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214603Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:54.445{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDAF62E5E67503A8D3CF486EA7692068,SHA256=DD73F69FF331B058806917716591EF97B92B4B618CA06B366FC9D6B4F64DE0EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160925Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:54.530{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A590A461BBF1B79A4E2BDF5F7BABF71,SHA256=B81A66A20F056D49D68256162F846A43B302BC3014ACB028E6A902F45162F813,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160926Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:55.545{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0EE4899A46B542391E757A3D5157C8E,SHA256=5A9D4F3F416A11480A02BDFF138289429410306CE7C2ACCED2A63661C874296D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214605Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:55.459{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A47E083C402170324192B50D5D72A73,SHA256=9E4C2074C32BBB8B3BD061A3189EE56093EC1C6EA6259268B8AD8F950E0C45CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214604Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:52.284{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64768-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160927Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:56.561{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ADB6258579A9036AB85CC42E92C38D1,SHA256=6746012CC98BAD463701E37D69A6B5269FE3D3A595877521EADDDB251DF85397,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214606Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:56.474{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCC5CD77097817B2C043B6D6513FDC1C,SHA256=C531DEC4768F5567DE548767770736C1D8B48326413EB0EEBBEADA2BE40D8677,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160928Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:57.561{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=173FCA1BB210D3004A733E4C490B6F5B,SHA256=D79A141D1DAE63D831230AF8E80363E2C9C87C916C4DF22C12371527D485A830,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214607Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:57.490{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4583A4E0EB9A525DCA6D76A74C6A1B4,SHA256=375FE538444DBEDEBD37F2DCD24DB7FFC226E43699E5216724BF271C689ECD98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214608Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:58.523{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE723CF076988D184DB6D9D1324810C1,SHA256=629C2A12DF2A9BC95B975F50B4729E8888464F4BE9500D4CDDF9733C130608FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160929Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:58.592{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97CB78F6FDD2CF16CFA33E0531271989,SHA256=DFDBCC9F5D6F03627F4F3B4FB2D90631F892ED1471B61683E0EA6DC5D64C7DC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160931Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:59.592{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D98AFF700DED4ED2B43C96E963E09CBE,SHA256=42AAC117A6BA2CB99BEAE3D48DAD14051959E04848D0BEE37F179B81D40F05EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214617Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:59.741{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-54AB-6116-F506-00000000E701}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214616Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:59.741{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214615Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:59.741{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214614Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:59.741{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214613Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:59.741{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214612Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:59.741{079FE16A-269F-6116-0500-00000000E701}412428C:\Windows\system32\csrss.exe{079FE16A-54AB-6116-F506-00000000E701}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214611Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:59.741{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-54AB-6116-F506-00000000E701}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214610Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:59.743{079FE16A-54AB-6116-F506-00000000E701}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214609Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:59.541{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E47A4B6DF65070D547AE63A02C488E8,SHA256=A6FDF0C870BCE8F511210871C2775CBDD7980662054D7FBAA4D7816494669CD9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160930Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:16:56.835{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52113-false10.0.1.12-8000- 23542300x8000000000000000160932Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:00.592{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E70D3D5D040EE9F0DA8907D57EB7CD1,SHA256=BA60E18F495759973FD83AFE9844CD50DCF50537F1C0B08544CC5DFF2743C1FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214629Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:00.757{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8476CE62A715E4E6A2D1F6C6AEAEE951,SHA256=41CC7C45E620772C90972615AAB4C9052420165F24B7E27FE0CF72D314F63E08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214628Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:00.757{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CEDA6C1EEF43A8136141EBAE24BAF6F3,SHA256=AAE3E52772AF8BBBCC6507FBCBD44E657E72B78D8B00EE15D18A29E8383D414C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214627Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:00.604{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-54AC-6116-F606-00000000E701}4456C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214626Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:00.604{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214625Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:00.604{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214624Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:00.604{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214623Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:00.604{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214622Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:00.604{079FE16A-269F-6116-0500-00000000E701}412428C:\Windows\system32\csrss.exe{079FE16A-54AC-6116-F606-00000000E701}4456C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214621Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:00.604{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-54AC-6116-F606-00000000E701}4456C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214620Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:00.605{079FE16A-54AC-6116-F606-00000000E701}4456C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214619Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:00.557{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2028E913404409707E0F667ADD1FD0B5,SHA256=1DB4A91C5EEB66AC094F870AA80736DA2763ECFEF1ABD22CA8ABE1B7EC0AB7F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214618Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:16:57.330{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64769-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160933Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:01.592{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEB7838A6D1D937736C542615C48DBCC,SHA256=F59591E2A463B0D340CDF9DD832E22418B28F505DDEC11A6D422FAB685C6976F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214639Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:01.572{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9811A0DCF9D81E74B43F7485DE40336,SHA256=62F990E9C90D6560750876415D40E4D22D38F8080AE215CFFCF6A3924B6522D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214638Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:01.474{079FE16A-54AD-6116-F706-00000000E701}11444592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214637Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:01.272{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-54AD-6116-F706-00000000E701}1144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214636Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:01.272{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214635Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:01.272{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214634Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:01.272{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214633Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:01.272{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214632Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:01.272{079FE16A-269F-6116-0500-00000000E701}412428C:\Windows\system32\csrss.exe{079FE16A-54AD-6116-F706-00000000E701}1144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214631Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:01.272{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-54AD-6116-F706-00000000E701}1144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214630Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:01.273{079FE16A-54AD-6116-F706-00000000E701}1144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214641Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:02.587{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87CFFAE2D54CC320692CE3A28259E289,SHA256=C281C035B046BDE6AABA53EBAD137432243DCAFBA4A1C8C457A8D8994C456498,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160934Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:02.592{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98980AD16C8A579F7167C0F324F77DC6,SHA256=1AFFB9295C387A8E4187BE68359A308BB9C93188F64E4FD42CAC85AC94A58012,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214640Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:02.272{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8476CE62A715E4E6A2D1F6C6AEAEE951,SHA256=41CC7C45E620772C90972615AAB4C9052420165F24B7E27FE0CF72D314F63E08,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214650Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:03.740{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-54AF-6116-F806-00000000E701}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214649Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:03.740{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214648Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:03.740{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214647Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:03.740{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214646Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:03.740{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-54AF-6116-F806-00000000E701}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214645Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:03.740{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214644Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:03.740{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-54AF-6116-F806-00000000E701}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214643Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:03.741{079FE16A-54AF-6116-F806-00000000E701}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214642Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:03.603{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA132AD62AE829C666D4B465CA7D2C88,SHA256=1DE124EBA2B6610C161B78045D741E621CD4C14439F95E26DEE043ED4D973731,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160935Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:03.592{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3671D4F6CE0407ED00ADAEE0D8AE5AA3,SHA256=77A6443510CF7B399803E2FEA948EADCBB97C78D6D83712502F6BC0EC2997034,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160937Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:04.608{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6418D18E32946CA831ADDA38ECF1549C,SHA256=658C584C4B730A64D2AB8B0D491C62372F7295594613C23A6F34B79ED6693B30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214663Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:04.687{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28146E610A0F5F35C5E5AA1A3246F407,SHA256=F6ACEFBA47E83AB5D61A97448A6FDF4F1B91DA4A137F55760F5B494CFF5D2308,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214662Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:04.687{079FE16A-54B0-6116-F906-00000000E701}34723360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000214661Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:04.624{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=777E4F152DF0CE0C05D14F8DEE7BCF57,SHA256=3DE9CFE3162A61104B7E15EA3A43BBF3A6EDC65C94CCA779EF833268D7B2D158,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214660Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:04.624{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAEFCA941D56FE3D519682EF27929A07,SHA256=DBE5515E147B4598E27C66457F8F82772F37F6FD22DBCA43200100456D45AA74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214659Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:04.425{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-54B0-6116-F906-00000000E701}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214658Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:04.423{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214657Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:04.423{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214656Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:04.422{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214655Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:04.422{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214654Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:04.422{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-54B0-6116-F906-00000000E701}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214653Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:04.421{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-54B0-6116-F906-00000000E701}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214652Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:04.420{079FE16A-54B0-6116-F906-00000000E701}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000214651Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:04.024{079FE16A-54AF-6116-F806-00000000E701}50086588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000160936Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:01.908{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52114-false10.0.1.12-8000- 23542300x8000000000000000160938Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:05.608{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFC299DD9594D9260C045AF9F0B9A39A,SHA256=C4CEFC484C5A0B35D15BADC1B1ACF48896342052A4A4C18F24D7466721EA1817,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214682Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:05.757{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-54B1-6116-FB06-00000000E701}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214681Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:05.757{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214680Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:05.757{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214679Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:05.757{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214678Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:05.757{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214677Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:05.757{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-54B1-6116-FB06-00000000E701}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214676Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:05.757{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-54B1-6116-FB06-00000000E701}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214675Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:05.758{079FE16A-54B1-6116-FB06-00000000E701}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214674Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:05.656{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27676BC030AD900CF2ED37A6B009F39D,SHA256=395300C3A8668274B2BB01554127F7584436231F95F68AA52AD43499919F9EE9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214673Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:02.597{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local63213- 354300x8000000000000000214672Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:02.365{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64770-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000214671Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:05.087{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214670Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:05.087{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214669Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:05.087{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-54B1-6116-FA06-00000000E701}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214668Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:05.087{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214667Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:05.087{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214666Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:05.087{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-54B1-6116-FA06-00000000E701}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214665Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:05.087{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-54B1-6116-FA06-00000000E701}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214664Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:05.088{079FE16A-54B1-6116-FA06-00000000E701}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214687Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:06.657{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02FD7BFBAC6F05801512DC1F77983086,SHA256=AE232835A9F39CD1EEAC0CB7F11CE377443FFA056A4BDF20F09EE3F7B285F684,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160939Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:06.717{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=208689664E0B79BC6E4F83132029F696,SHA256=93D9F0FF6AEAC1E3C557B1B847DDAAACBDBA49768AD5FE7CD90B3ED1F422400F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214686Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:02.797{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local64771-true0:0:0:0:0:0:0:1win-dc-414.attackrange.local389ldap 354300x8000000000000000214685Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:02.797{079FE16A-26AF-6116-2900-00000000E701}2980C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local64771-true0:0:0:0:0:0:0:1win-dc-414.attackrange.local389ldap 23542300x8000000000000000214684Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:06.089{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C25DEBB2A0799D6FF9BA9940ABC54357,SHA256=6FC5B3A52BF27AD841DC88C7CFA52968B3BF0C5CC6448FB42BDC57395025FAD0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214683Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:06.005{079FE16A-54B1-6116-FB06-00000000E701}6366572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000214688Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:07.657{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C04E6FA7C2184F8F4D08A02C3E021EA,SHA256=E1C1F04410953B3BDC54B77E41D1A95822EBEA8D1FCC3BD21387F12E4D2797BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160940Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:07.717{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84BF5DD9418E5DC4AC843A961F7232EF,SHA256=F1090F2725FA926EC7512B6E5C78C9BABFBCF53298F13D69A5C8FD0A22D0A54E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214689Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:08.672{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1629AEED4C6D3C1F93B9E6051306F83F,SHA256=1E8316D30DA1340399326975AAC2A10835B627773BC9086B68168AAFF051EC20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160941Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:08.717{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52E3197BA0EB155109050C88A8B60C2F,SHA256=7F393DD55A5042CC75C2463084E6B1A5B0E0F237984EB3F089F68E0A080C5698,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160942Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:09.733{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B3422C23B09F5D4B17BA35655848841,SHA256=767CCEEC063819347674B2B090978CBBA1CEA06AFD2EF61D0F62F1D767B3FD23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214690Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:09.688{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAE8142C21A9D71C7D8C4E39CCC5F693,SHA256=DE572C791A0757FD4D932D64C8A5D815647E5D7702433F413BF8FCA318C4F48B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214692Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:10.703{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A585F5EED54EBE8D88003EADDFBFEDD,SHA256=7167082FF4E3C082F565EBD848FDF44AB0F45279939D0C599EF65BC066A15B75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160944Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:10.733{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4110F19D800E84972C0C4FDFED6E0F0D,SHA256=1C0F11793B88B69F8A141E5BA1B490EC90CFA8F1478B303A04F43B5D4912DEA0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160943Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:07.835{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52115-false10.0.1.12-8000- 354300x8000000000000000214691Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:07.366{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64772-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214693Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:11.722{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03A7A9A7E477302A82B040E37E6DE39F,SHA256=9CE1FCF14EB16421F7BB845DD9B5D5C1D155889E81076C9133DCBF9BFFE34445,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160945Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:11.733{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E241D954BB95230324A4A94A202CC649,SHA256=C92547A89A6C3BF273877B7B0B65773C0E353FD69CEFC7710634DEDE89EF5C6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214694Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:12.739{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=594DC3A1B749C2F254D2F51AEC4403E3,SHA256=C873A5F5C30F2D7EEA3D41B61B7844DA85D5DE7B875D6B39F72B0A670F23AE83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160946Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:12.733{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA623D71FBDF610738AE8F5B4BF7F8E7,SHA256=70398EED25D228E7A90FD68BB7FD397CE2CFEBFF4B6454EB9D3907C306853E47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214695Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:13.754{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E12B51B7D9B16207C291BD295B9113A6,SHA256=7624382FCE5D6B43292907527B70DAB9D36E8B446D875CB4EBFE5C5B2EEF6C98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160947Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:13.749{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF02F4927424D3422D4B9483AAD39625,SHA256=4406724D1BE5817C8E2646F4F11DE409526B332F4A766C3ADEABC971BADC371D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214696Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:14.768{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E25D2CA81C354245264A8E53221B009A,SHA256=04F789D8BED4B7CB4A6D93935004A2C38FD239FA18A844D9560DF2EA4922B5FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160949Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:14.749{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A31B6EC6B5C2B9ACF7AFAED4A5B50ECC,SHA256=3F7AF5929B15665290616AF54079F758D53C31E4DC08951B32450A76B9BA828D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160948Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:12.851{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52116-false10.0.1.12-8000- 23542300x8000000000000000160950Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:15.764{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=614DA93887BD9089261E6A7ABFF8ED40,SHA256=0B45BC38184DF2C473F43D6ACC8E6A85060EA1BA1332471EDD5651186C956B7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214698Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:15.798{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A5E2E89BE7FB6CE37C2CF12F01CC01B,SHA256=E0AB854E773ABE720E868DD8D1B5A883A7A7E96DBC91EC300954A5428C381E1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214697Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:13.262{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64773-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160951Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:16.764{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E7E4386566ED7E57107BBAFA4146255,SHA256=1A9F21A92CEE1BC295E114A23C20C03C89947B885F2D2BD8DA72A90A5F5718AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214701Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:16.819{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A02EFA217BCFED702194CF35A6C8FE7,SHA256=9954696DF0B625ADA7218130E7FD92D4EB38CA06E11BB09A02E4E3BAD2683490,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214700Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:16.597{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D10B115BF09527CCA1FB32FF2D2FDBB1,SHA256=388AAC06C3FD1E4EC8AE627F4E0ABB84BCC4B4071115CCC0AAA784A06440CE06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214699Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:16.597{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=025B12EA77D39434BC95B4AD5B7A1EE8,SHA256=576BBC7465BC9BBD308A71050BB9DB7751C370C185E56192EFB729D8D1A84713,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160952Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:17.764{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FA96449665E79DC99F4FC673C831254,SHA256=ABDF86D8B62C0695016A62C6C709F6BE658B1ECB15DE82E79B4B6A9C21FFB6D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214702Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:17.835{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5446B0FB3CB743D0D17A8A77970530D,SHA256=DCDA60293266E2B804102FC386B48171BA28E13D0D543850B6F8437D6FE010AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214703Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:18.850{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E0DE798C14C0AA753131967675F0A9C,SHA256=29A6F3EA32B79170C7DDA6A12CF87736C4EA29F142E134D0A74633AE275CB2D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160953Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:18.764{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B2E75F009F1D90E461032406E592088,SHA256=1D9FD71DFBF5FC9BC0253EAF6034FB0642BEB462FA5C54D7ADC9AA9FF382979E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160954Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:19.812{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA71BDAAC92844CCF723A98DDD3F445B,SHA256=C97B1BA2D8D5BBD4354B5329F23F9CE22FA83418EF5D7DF515EDB118A8074987,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214704Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:19.881{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A85C3696B6A723335C4D2E821E6002F3,SHA256=C865A3E632F7DEDAB61D579AA0E2624FB707E28447C5933C0F601F84945C5AEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160956Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:20.889{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE111945943A515954B6221789D619E2,SHA256=E0A1785B06CE03FE024982A8C695B3D48B82C8A944377D04908392FE52A9A752,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214705Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:20.896{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9731CCD30DDFD14C8E26A7C7ECD9234A,SHA256=69A3586493101651D3BF8DC5D56345F40F37212C89CE2312C96BDA1BA5ACBAA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160955Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:18.804{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52117-false10.0.1.12-8000- 23542300x8000000000000000160957Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:21.889{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B893B2B67843EEE521EDE5FC85ED0A10,SHA256=34200270120DC5F31EE9CC526956731A4F59792513392267F95EDD393CB99F96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214707Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:21.915{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B6ECE4BCC86B54EBAD707A299A553A1,SHA256=97B6F14CEAA1F5AA802126954E0E025F34D98F696890F78C023E0E79CD827FA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214706Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:19.190{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64774-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160958Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:22.952{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9E05FBA1FC3BDDDA0040175F3D92F7E,SHA256=74C8D80F0058E15477B3FF7639F6BFB0BC66FAC7276021F1A96A58043D791107,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214714Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:22.947{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3281F49034DE0606A96E629400A3F7DE,SHA256=1F93D2B4F1922D69CF7FD95E9E03F87DC914E81CCA492ABE8E647AAFE4271622,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214713Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:22.079{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=268A5B81584066A7B96E45DE164DB5A9,SHA256=7ADAE880E011183ABB8F753928B18E5BF965E3DB7C8BD9DDFC2CF0A37AB69959,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214712Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:22.079{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=5424D7FFE859E762DCE16320288D815E,SHA256=9465EF5D5BC8D4A1371F64B73EE48F6BED6FC8F2EA1A5761D2117B139091087B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214711Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:22.079{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=4E153D6E6BE282CA37B2EEA4355B5978,SHA256=AE13663276FC1746AF061564BD69F4CD45BB891D78A0306F10ADCDA09AEA1C51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214710Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:22.079{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=4D0AEFD2194B8B56B717E8542F6188B3,SHA256=E9AFEAA91FC06605B9FE288A3C9141ACB78159F6C1D26926227D1DBBD95FAB74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214709Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:22.079{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=090D37E573318EDBD3C5E8D91D2A3865,SHA256=892A1FD2642511708236AA3FFCD7E176F887DA32E3BEF172FF341CD45125C46C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214708Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:22.079{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=FC9F4FC2EBE2281FED0BC311DBB5DE58,SHA256=89CD08F04C7DA4EB3AE04246B575915BA7F9CA00FA29906B1FCFD9015CB887D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214715Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:23.961{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9AAC5403089547D3233D165229C7C6B,SHA256=2B0B3BE42644563564F96B2F18082793C013C3424F5CA7BA90B7BD84A1A56606,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160959Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:23.952{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=083C65F16E53BA86A0FBF6480A74E8A8,SHA256=D33479DE3DC31ECC8FA8DA959DB67D816910CE81EFBD9158009E1EE8C5745F12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214716Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:24.976{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B14AFAC961339BC702641399BBB4FF8F,SHA256=CF83844A1E99F83F318D5A03AE0EA8DC54D34CC6D8A1B2134303CFE6A08DFA85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214717Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:25.976{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE1EC79AAB79AE2609421001FD1CCC8A,SHA256=817887038E0B0204FBD7644A667F1B946C23531F177A2E7ABDB28AC05A5C9256,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160960Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:24.999{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF74CB83A5656382CB52B05E0F3139C1,SHA256=66BF84339CA049121D73AE60D944F50141724386CBF2C4DA1F74FE6B9CA2B9F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214718Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:26.978{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06A0E596AF5304FAA4935CC54D0830D9,SHA256=FD4DBDC0A11CC9E76647BF0B4D1D40EE50680661E5C8867C305FF50228078EA5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160962Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:24.758{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52118-false10.0.1.12-8000- 23542300x8000000000000000160961Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:26.030{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DA24244406F4C4DFAAC11F4EAE44269,SHA256=9A307540685394BEC48C8FF86AE4E0ECC0520CBFD35F41E7B4EFFFC7FAC520D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214720Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:27.992{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59D2732C6073F68D851D5948ABCC2681,SHA256=C9A2783539488A1804F64637900E91FAD46C154DE63159C7CA466CB5E620F650,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160963Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:27.061{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=328BF977BCAC5B27C619F58192061D5F,SHA256=EF9FE2C5693A5F43A49C99472AD024263A87C008F92DF8F6A96871AC371577B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214719Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:25.217{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64775-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000160964Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:28.077{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34E823624CEB80B8EAA538CCBEABA5DB,SHA256=B5174D6EF4317543650E14DA1DD48D40ADA7E258316BCEF93D4F66F099BF8912,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214721Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:29.010{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9F309A5F65F62647F33C917089B87D3,SHA256=DF15141AAECCCA9F08B287E9D640FCC36394334AD44307B51DE396CE1E5B21A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160965Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:29.139{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8103D9DA6365B5E23D843099191A3717,SHA256=E6269E61B582519008C655B02FBF7C949368B8A3E58EBCEBC440A2BD17F66488,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160966Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:30.139{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E31290432B2F004295BA3A36B296AE5F,SHA256=FE2E8B53CF92670B990604FBF407E8331ADF37F62A28B3A27F452302415CEB69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214722Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:30.028{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C21CFC26EBF90D06509453682E263F1,SHA256=A0873F61B7CBCB572D3A04F3EEC69C5DA8E6EEC3F53BE7BCCD2C7624AF9FBF77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160967Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:31.139{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A9C93CECFBE410A059D8CDB4C72CCAB,SHA256=E6357BBDA0BB1DC8A8A8870B54FA557EE1EAF030CF8DCF2647C3F99D0F6B85CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214723Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:31.043{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F43E9E3076D32322C22E3C89EC84DED9,SHA256=E546E38659913AA1749436030D8C427C77A282AF843426A6E3C58B3E3986ACFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214724Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:32.089{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11457E9A04DDAEDD120C88F1A51D604E,SHA256=C76371CBABA48AD9B8FC7457BE76938A0DDBF4F4E9654D023E952483A8738D9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160969Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:30.727{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52119-false10.0.1.12-8000- 23542300x8000000000000000160968Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:32.139{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC01ED4FF7EDCC7854AF50BCE29F976E,SHA256=AE1B7C8EFBC9609899D7DB57FA95EDD83082F79524B51D69AC746ADB1BC529A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214726Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:31.182{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64776-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214725Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:33.108{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CD604011D9CE7E8C85A40E1AA631399,SHA256=EA82C120777E9B3A89440D8B9348F39F15594803CD66664C083BF8461C560019,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160970Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:33.139{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCEAC2D01324E65F1703428C4831C659,SHA256=D8BD6AB218A143BE2E768978649B1E80689CF5B21A2F6919F7B7AABE47987AAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214727Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:34.126{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB7F870E81571B89D4B4586EC7FB74BC,SHA256=3A63E2F4013DD38EF7C71FE3C528EBA9D0E3E663D143311026F50F20CD40503D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160971Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:34.139{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBA7A7C8CC2819D25069209955912F1D,SHA256=55A6568D1AD0FF14F84E3D145F107ADA7AA10F0CA09204F64C20AA700BB13CA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160973Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:35.296{C6197713-26A1-6116-1000-00000000E801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=5D3159B3477EE64BE401AAAABC93658E,SHA256=90A3245DB82C9F6436113CF9343AFCFB9FF07148EC69646463B9C33EB5D148B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160972Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:35.139{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8809EFD26EC851F28755E985F18D4FF5,SHA256=D05A78CA41DDD53816715F9C3F144B014C0D2045230A9CA515AC4E4B6B731DEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214728Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:35.155{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EE582EBD4E4F3DA3EDCC86868683F38,SHA256=0F59167CE88327A334579B46E5A45402CA8045F9C28BFAF086CD9469EE979B44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214730Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:36.868{079FE16A-26A2-6116-1100-00000000E701}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=9AAE6303FD42C89CA326651066045B79,SHA256=A01544EA4CEE99ED2DF7C5283F6AB369B0647C6F6F088B553066E500A2D6E6A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214729Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:36.169{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02A5E4937FD00917B1B2E8EDE4D2884C,SHA256=EF15D7A7563FB1A6B92ED7A7196653AA78214712DFDB4746D6761DD0F67E2196,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000160977Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:36.921{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A1-6116-1500-00000000E801}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160976Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:36.921{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A1-6116-1500-00000000E801}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160975Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:36.921{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A1-6116-1500-00000000E801}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000160974Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:36.155{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6869B54AA8205399FA57E7F81BED9672,SHA256=277C2E325DFD3037495D38ECCBFF494A3D6AF838A11E343D1D9B74E4252202B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214731Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:37.184{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8479DBB98354836BF97124F38B83DC58,SHA256=47074A8B3B018F247AE8F160CC9B0DC1B0BD48FCCC3E95F31B137145BB8780B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160979Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:35.821{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52120-false10.0.1.12-8000- 23542300x8000000000000000160978Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:37.171{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A094C2EA3BB7BC10D671CD4C3B845AB,SHA256=5599BA9532FAE256AA954C747D4AB1F96C427F601275D483BEA6EE7C10163898,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214733Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:38.739{079FE16A-26AF-6116-2700-00000000E701}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=7437DD3B54D1F17730CF8766724DFA6B,SHA256=69C997B67F7E7A6FCA3EA332C25CA817950327E6931C8B821E0C9BBFA52D78A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214732Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:38.185{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CB4455205DDED35161E6534BE162D4C,SHA256=A5DCE0B6D65098E05E8FBF8320150023E535C7BF1B062FB0DAA4C0074D223652,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160980Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:38.171{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16F9A3B322CBB58553C2442BA5637FD4,SHA256=DC334AB1EFA7DE2F7B98CA7C5B50F42795F2E4C80031E88B4187A901A3001B25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160981Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:39.170{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BD2113805CE57A87211C19850743989,SHA256=9814D3FF54E8EF7E67AE506EBF087BB9EC4D91717485BE24B3062C48DF96CE37,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214736Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:37.849{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64778-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000214735Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:37.209{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64777-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214734Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:39.186{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBD50560F1CA1A933E2F03258A14901C,SHA256=28AF0D6593167CB410031B19764745B6FFBE39197802DE1665390A8047314DE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160982Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:40.171{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF90A81D301FE247F959C7B3FE1AF7BD,SHA256=BC2EBC763BB3ACED362A7A1BDE6DA6E32FB4426F7B2BF82F51F9773EDEEA9AF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214737Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:40.187{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C1806593696FDDBE94F881F6283436D,SHA256=2B923BA62036CC34AF5A5C51343214DE1DC9438AC1CA57E58E9BE721FAE139E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160983Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:41.171{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51909369C122D010760317DE0854C106,SHA256=193CC5BB15A003E8DC04FF1EE7EBFAB7D30913FAB5519EAA2C6943ECB59C2A58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214738Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:41.205{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65C8AF90DCF49650BE1A061C8F0A3F1A,SHA256=3E319D922CA1E680AD427B6D4F7423EFADFE58337A1D826B081144694C3C8ABD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160984Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:42.171{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA7D4E245403198E5BD6FF058E5ECC07,SHA256=BB6E38C557BDD254FB89F022069C53311CAD31B65E70080B01CE37B33399A4B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214739Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:42.225{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5B6BB8A7C14EB8106E5067356B39CC1,SHA256=8898975071596B0C75FCFE0936159167B2A2A7C4B87D4942F3CEACB776527BA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214740Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:43.240{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B7471318489D07DA469F30B5EEDF8FC,SHA256=D4DB5602CEF4FC31B3A577D7F6D184191EF96E012E0476D09AF0408127FA7EAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160985Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:43.171{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90750E7795EC3B47E5EDCB283DFA7E52,SHA256=F93A21EF32DB6CC7E85C2CFEDD3C39BC018C4DD52FFE9E690F1FAFEE57FC9651,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214742Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:42.211{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64779-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214741Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:44.254{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15E5048213849304201CDB486EB0C5CC,SHA256=2A6696000599C42D2BEC220C14118A68559021BC53820398F53FFE9CD873AA16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000160987Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:44.171{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=656F419EBA75C0351E9FCAF42C5F5860,SHA256=AB4F4B3A5A4AE6F3231341DE207D29B1A87707A8370CEA3A30F0CCE33B6E0BF4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000160986Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:41.727{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52121-false10.0.1.12-8000- 10341000x8000000000000000161001Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:45.655{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-54D9-6116-F105-00000000E801}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161000Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:45.655{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160999Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:45.655{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160998Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:45.655{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160997Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:45.655{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160996Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:45.655{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160995Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:45.655{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160994Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:45.655{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160993Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:45.655{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160992Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:45.655{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160991Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:45.655{C6197713-26A0-6116-0500-00000000E801}412428C:\Windows\system32\csrss.exe{C6197713-54D9-6116-F105-00000000E801}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000160990Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:45.655{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-54D9-6116-F105-00000000E801}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000160989Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:45.656{C6197713-54D9-6116-F105-00000000E801}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000160988Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:45.171{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF5605AF0A3945ED8E67DC298C61A05E,SHA256=A61167532BF47E185B79198B7FE3A138C4897B293BD24C8DD4B9CBE0A29F13C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214743Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:45.269{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=189873E1A496653EF568CC93A9A17FBA,SHA256=47D23BEBB1E85AD2C887702B6C623E85A83D925D9484084F3AE17817FB916DC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214744Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:46.303{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6E180DC54D2599E12ECE1FB40F32EDB,SHA256=686C683F9D2DC099DEA2BF27BD3B68D102431A70FC025E4950EEE0BA387E91C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161030Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.827{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-54DA-6116-F305-00000000E801}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161029Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.827{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161028Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.827{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161027Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.827{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161026Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.827{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161025Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.827{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161024Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.827{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161023Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.827{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161022Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.827{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161021Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.827{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161020Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.827{C6197713-26A0-6116-0500-00000000E801}412428C:\Windows\system32\csrss.exe{C6197713-54DA-6116-F305-00000000E801}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161019Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.827{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-54DA-6116-F305-00000000E801}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161018Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.828{C6197713-54DA-6116-F305-00000000E801}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161017Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.655{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9FECCB7ECDCDB7796845BE61404C15B7,SHA256=F3024310D28F145BA081DA970A1B1880FB0BA3558E3F9E0F6E51EEDC25D1E4D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161016Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.655{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6898E8399D02B750474E4D8E26A690F,SHA256=44535F621AA557B9F41B3425BD93A1F7C9CD28B8CE9B805D6CDC60B29078B3B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161015Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.327{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-54DA-6116-F205-00000000E801}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161014Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.327{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161013Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.327{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161012Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.327{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161011Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.327{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161010Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.327{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161009Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.327{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161008Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.327{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161007Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.327{C6197713-26A0-6116-0500-00000000E801}412428C:\Windows\system32\csrss.exe{C6197713-54DA-6116-F205-00000000E801}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161006Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.327{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161005Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.327{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161004Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.327{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-54DA-6116-F205-00000000E801}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161003Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.328{C6197713-54DA-6116-F205-00000000E801}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161002Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.171{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFCF0B8386E599108E9F13E823FBDE99,SHA256=8D30653718C6DDE23022F01AFFC05F58AF0261FB1CF3180B8007D97801803F23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161033Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:47.858{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9FECCB7ECDCDB7796845BE61404C15B7,SHA256=F3024310D28F145BA081DA970A1B1880FB0BA3558E3F9E0F6E51EEDC25D1E4D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161032Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:47.436{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E386DDDE8B2E7A5CF643506C8036CDD,SHA256=C9F69139B096FA0E5E576C8DB47B17472C6AD702371A4F8CB98FF5BA8C0810FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214745Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:47.320{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C927E6F36BDC4C7E8598429B3631862,SHA256=9D00761F2B51924B992054DF13B64EE88F0E21E19373576E322A1C840D483B35,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161031Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:47.030{C6197713-54DA-6116-F305-00000000E801}33803368C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000214746Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:48.335{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95BC07B2357104B77A7F49AA31EDA57A,SHA256=FAAFB9E408ADC3AE26613784E635C3945AF27DFE578757D91D59CF2303C2F9FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161063Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.983{C6197713-54DC-6116-F505-00000000E801}3284724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161062Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.780{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-54DC-6116-F505-00000000E801}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161061Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.780{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161060Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.780{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161059Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.780{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161058Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.780{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161057Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.780{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161056Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.780{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161055Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.780{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161054Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.780{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161053Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.780{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161052Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.780{C6197713-26A0-6116-0500-00000000E801}412528C:\Windows\system32\csrss.exe{C6197713-54DC-6116-F505-00000000E801}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161051Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.780{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-54DC-6116-F505-00000000E801}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161050Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.781{C6197713-54DC-6116-F505-00000000E801}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000161049Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.530{C6197713-54DC-6116-F405-00000000E801}3272584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000161048Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.452{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31C437062E08F4B9C8A1DBDC3CC4F646,SHA256=4AA6E28A268B6CA258FB241F82FCE27235F60651C890D276E87CDE5E11EF5FB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161047Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.296{C6197713-26A2-6116-1D00-00000000E801}1892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=7437DD3B54D1F17730CF8766724DFA6B,SHA256=69C997B67F7E7A6FCA3EA332C25CA817950327E6931C8B821E0C9BBFA52D78A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161046Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.264{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-54DC-6116-F405-00000000E801}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161045Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.264{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161044Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.264{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161043Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.264{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161042Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.264{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161041Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.264{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161040Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.264{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161039Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.264{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161038Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.264{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161037Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.264{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161036Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.264{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-54DC-6116-F405-00000000E801}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161035Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.264{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-54DC-6116-F405-00000000E801}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161034Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:48.265{C6197713-54DC-6116-F405-00000000E801}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000161093Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:49.905{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-54DD-6116-F705-00000000E801}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161092Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:49.905{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161091Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:49.905{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161090Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:49.905{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161089Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:49.905{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161088Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:49.905{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161087Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:49.905{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161086Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:49.905{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161085Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:49.905{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161084Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:49.905{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161083Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:49.905{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-54DD-6116-F705-00000000E801}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161082Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:49.905{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-54DD-6116-F705-00000000E801}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161081Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:49.906{C6197713-54DD-6116-F705-00000000E801}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000161080Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:49.639{C6197713-54DD-6116-F605-00000000E801}39481328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000161079Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:49.499{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9324EBCB88ED3289C4F5476824749F99,SHA256=EDFD9B6EDF7579FF902FA2152DC331D9203EFFFC4DC847C2887D547EAEA65EB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214747Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:49.349{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E6103D8650592B899912D1EA52AEBE5,SHA256=74DD45F7BEFF114A0DF223E94CB0CA9214787D085608037C6C4D04EA7124038A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161078Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:49.405{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-54DD-6116-F605-00000000E801}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161077Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:49.405{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161076Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:49.405{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161075Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:49.405{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161074Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:49.405{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161073Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:49.405{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161072Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:49.405{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161071Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:49.405{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161070Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:49.405{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161069Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:49.405{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161068Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:49.405{C6197713-26A0-6116-0500-00000000E801}412528C:\Windows\system32\csrss.exe{C6197713-54DD-6116-F605-00000000E801}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161067Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:49.405{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-54DD-6116-F605-00000000E801}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161066Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:49.406{C6197713-54DD-6116-F605-00000000E801}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161065Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:49.280{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A61118B0431A64D6C3B6C6730C59F887,SHA256=A037F684E618266B84A1A0C1F2349C9CB1894D5E64492BCC5BED68D0B9DAF5DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161064Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:46.758{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52122-false10.0.1.12-8000- 23542300x8000000000000000161096Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:50.499{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A8FFC17F027339B1317548CB6812DC7,SHA256=9278BDE03972926797398A5573A89564D348CEC16906A07EE8A74A49CA752F21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214748Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:50.364{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6164BA7DE0AC393F85443CF4316BADEC,SHA256=3249F2724F27B912DB6414BF869AE7306566097F485E4086E078F097E6A5DDAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161095Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:50.405{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B25F7C6AFEE4CBB2AB95F687F4F3CE1,SHA256=9546BDC63E2AFB1B495AA0A056002737E8A4F31D8320FD0B2F0489CD3A0847AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161094Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:47.946{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52123-false10.0.1.12-8089- 23542300x8000000000000000161097Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:51.500{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6EDBB28243FFFF32AE173358841D512,SHA256=D10F7EAD22B6E4D098981886CC64FD68250104C21EF11C72E45CBB588180D4A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214753Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:51.847{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26A2-6116-1500-00000000E701}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214752Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:51.847{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26A2-6116-1500-00000000E701}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214751Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:51.847{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26A2-6116-1500-00000000E701}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000214750Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:51.379{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E41CD07567AB7D8835E2B0FEFFC180D,SHA256=ECBCB2A4BEE3F9A0E384A230BE31C1A753A05CAC1E9BB3E1A764D22A9F248437,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214749Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:48.222{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64780-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000161098Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:52.501{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CFDA42E9A47083179139B45AE15B804,SHA256=EDCDAC8C8DE9ADF7A1C7BAB2B5469C69E821670C035982337667D4B54D124636,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214754Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:52.398{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97BE3F51287B46AE1770B93A1BC3283A,SHA256=61EF481A88C582A499E17DFFD9D079AD8DA7BA5F628CE73BAFB57F4ED6EF5939,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214755Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:53.432{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFCA54C5941B879CC2F00501CF0E4F5C,SHA256=8067A284A31D45E288607C0F719FCCEAA07115B1A9783C8BE945AA214FC044A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161099Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:53.519{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B40175C8B69DEB5937263D3CA7085E20,SHA256=0295C53A2223A170D83BE6F13A83EED6B42FB6603620E356CBECFAAB87024214,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161101Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:54.550{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49D2534B51DE9DD395BBEBBA86EC556B,SHA256=5B920AA6B586A09230F21511FCDF57FF905016F255CEB1067E382595F0C0CFAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214756Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:54.448{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2D34287B8E7073C20691A1FE86AB81A,SHA256=0BAB08A5D531E8BE6F57C503C8F0F5E5CF782A38EC3B9B1AEA2B36324E8C18AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161100Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:51.808{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52124-false10.0.1.12-8000- 23542300x8000000000000000161102Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:55.550{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D1891C46457588D193802E4764227D3,SHA256=37BAE86B0796156EFE6383428B0FDD439AD7739A43A1BB5313E5FF9C05A18D62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214757Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:55.463{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B4AF11AFB62532DFCE2D2F5434F91EE,SHA256=52ED63BA5D9123889C9FDD155478852C572795D5BEAFC259478F795C9F8BA106,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161103Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:56.613{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97B5025AFC9779E577E61EBF34B17287,SHA256=F6BBD4B9082B1E98BB919A0E479F9EF00221F6B6264009713ADB647E3925FC4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214759Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:56.499{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C66B4D7F34F03702F17A8DB8C153F3D3,SHA256=0BD5220E9572F1D82A77DECCFF43C849C1E4F400A5CDB93CF0C825EA22807174,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214758Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:53.320{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64781-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214760Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:57.632{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C82C7BE877DBFDA1781F78DAA739302,SHA256=CFC3FA15E37DCAF23D1FB4ABA947D3BFDDD9644D8DB12FDC87CC6FBFF9F230B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161104Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:57.613{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57190D9EBFD72B50AE17659872F626C1,SHA256=09073C51249AA5039FD92D10A1C19EA1DBE769850FA5348BE5BA1F107C81C586,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214761Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:58.662{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46B55C02C63E587968E3D01622295141,SHA256=A2CB33646425D7D6439EDEAC4C544A04081DAA1C8858CA97AD28551CBF79EA3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161105Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:58.613{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12E7B7F2B75BC2C6BC63DE3E475C822D,SHA256=3CB15200DCD8185CECCA64361324D5FCF62583CE36CF872AEEFBE57BCED4B2ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214770Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:59.746{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-54E7-6116-FC06-00000000E701}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214769Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:59.746{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214768Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:59.746{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214767Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:59.746{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214766Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:59.746{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214765Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:59.746{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-54E7-6116-FC06-00000000E701}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214764Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:59.746{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-54E7-6116-FC06-00000000E701}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214763Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:59.748{079FE16A-54E7-6116-FC06-00000000E701}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214762Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:59.696{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A32A1BFF82645B04A848B1BCBED24C91,SHA256=AB32789C92B67F61EC8EA1EC1B813DAFA7F68DE0089BAB8D5B79F4041C4F5EEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161107Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:59.613{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAD1374A5C4D1EB45F9B0A9455BA2830,SHA256=86846FF37B1B4DC67A3E5EF8F66A19899B72143C02C519C40BFF45CFB2D89B62,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161106Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:17:56.919{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52125-false10.0.1.12-8000- 23542300x8000000000000000214782Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:00.751{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8176D22A77A2F2463D6A9BE1B80A287,SHA256=E6425B60047F1A8D140BEC5EFBA4764C3884B0CB10F12862139C0770D1BD3845,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214781Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:00.751{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59B653ACF60816275BF7AF4295A492C8,SHA256=DA03B7DEBFE130E9F8F9EDEF810FED2F2E60529F3DFB710DF6B2403793EF9D2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214780Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:00.704{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDDA1B489B309F8D60D9E2BBC2472712,SHA256=FEC1B232B8040E4939B54E89BC38D881808860CD482059E31856BC66D68CBBE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161108Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:00.613{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74AD584BB4A0E49D0350C981AEC46100,SHA256=EC3D3AF0F648EF5BBF5F2714BB8FF97B24B6C95FE557EC4B2E73F991EBAE5BE3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214779Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:00.635{079FE16A-54E8-6116-FD06-00000000E701}41486008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214778Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:00.420{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-54E8-6116-FD06-00000000E701}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214777Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:00.420{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214776Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:00.420{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214775Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:00.420{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214774Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:00.420{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214773Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:00.420{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-54E8-6116-FD06-00000000E701}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214772Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:00.420{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-54E8-6116-FD06-00000000E701}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214771Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:00.421{079FE16A-54E8-6116-FD06-00000000E701}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214792Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:01.752{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52F9BDE66A2019853F68B19DCDE9342C,SHA256=0BA0E07045A08595B8440FE99E15A3CA1D4BDB214707FAD94AABDA125F6FB035,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161109Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:01.613{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=724FF7BA6A506C518A95767E50B9A406,SHA256=4821D889920EE5996F659E7153D14B7BD27FAFD15BBDDB3B543A07C364C0AF93,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214791Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:17:58.356{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64782-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000214790Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:01.083{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-54E9-6116-FE06-00000000E701}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214789Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:01.083{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214788Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:01.083{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214787Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:01.083{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214786Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:01.083{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214785Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:01.083{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-54E9-6116-FE06-00000000E701}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214784Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:01.083{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-54E9-6116-FE06-00000000E701}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214783Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:01.084{079FE16A-54E9-6116-FE06-00000000E701}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214804Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:02.766{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65AF63B0C8C0A36DDEAB58D035B229DA,SHA256=A12B067204E273DB5A9DA8ECC0443F6584C1F2AD90AA5103F095A56BB5F66BBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161110Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:02.613{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4CCD7BF9495DFDD0A7B74D9D0C9EDA4,SHA256=36C355974FA8927EC12E37A26B051840AFA0B95455334072B746F6971C62043B,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000214803Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:18:02.567{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000214802Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:18:02.567{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00b4e255) 13241300x8000000000000000214801Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:18:02.567{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7902c-0x7f437ea2) 13241300x8000000000000000214800Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:18:02.567{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d79034-0xe107e6a2) 13241300x8000000000000000214799Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:18:02.567{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7903d-0x42cc4ea2) 13241300x8000000000000000214798Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:18:02.567{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000214797Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:18:02.567{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00b4e255) 13241300x8000000000000000214796Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:18:02.567{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7902c-0x7f437ea2) 13241300x8000000000000000214795Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:18:02.567{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d79034-0xe107e6a2) 13241300x8000000000000000214794Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:18:02.567{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7903d-0x42cc4ea2) 23542300x8000000000000000214793Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:02.120{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8176D22A77A2F2463D6A9BE1B80A287,SHA256=E6425B60047F1A8D140BEC5EFBA4764C3884B0CB10F12862139C0770D1BD3845,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214814Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:03.850{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC17B2F5DBD7324CC4CB7CACD0F269B1,SHA256=7EE6450DD3DA12E2899559A821B66E12B1F6A700490D33404B746C6DCF47E6D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161111Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:03.613{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0E21C4C21519A0DDBF64DC4DFC03FA9,SHA256=76CCCC6325AF8FCE987B8DF99DE40E021C1BC020942D761AE98E23EDA1977C08,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214813Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:03.750{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-54EB-6116-FF06-00000000E701}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214812Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:03.750{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214811Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:03.750{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214810Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:03.750{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214809Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:03.750{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214808Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:03.750{079FE16A-269F-6116-0500-00000000E701}412428C:\Windows\system32\csrss.exe{079FE16A-54EB-6116-FF06-00000000E701}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214807Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:03.750{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-54EB-6116-FF06-00000000E701}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214806Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:03.752{079FE16A-54EB-6116-FF06-00000000E701}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214805Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:03.151{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59E26942E9981CD9737B347A7F83FCFD,SHA256=69856175ECD5EBF5A04B4CFBDEB704857459143C6A8DF1ADB99881E676382DBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214826Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:04.903{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D73834F3E389A45162305E2274DD1EB2,SHA256=7787E3A74BE6C8C9BAEE975624AAA8141530723FE16BAFC70AEBA762AC221169,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161112Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:04.613{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90EAE721B27CAB61CF4E92CFA763AB2F,SHA256=5B68E1C41EF0C9A50C436A4CE4E8461D93392A6ED5B1B2402E09D32AF3B66E7C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214825Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:04.834{079FE16A-54EC-6116-0007-00000000E701}33601412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000214824Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:04.703{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CED16F5219E6A2D70EECFAB888306AF,SHA256=11F601E6E95094311B2A88379279CE485FBA93E296054751E46507B9F151B2C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214823Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:04.619{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-54EC-6116-0007-00000000E701}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214822Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:04.619{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214821Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:04.619{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214820Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:04.619{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214819Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:04.619{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214818Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:04.619{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-54EC-6116-0007-00000000E701}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214817Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:04.619{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-54EC-6116-0007-00000000E701}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214816Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:04.620{079FE16A-54EC-6116-0007-00000000E701}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000214815Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:04.081{079FE16A-54EB-6116-FF06-00000000E701}12325008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000214846Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:05.918{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8BDA092C26010880432DE058160B333,SHA256=88173D86BA5A8B3FD4A54BB644D4B8AC246075F862AD34853D36080CDDCBE9F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161114Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:05.613{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90F533E8BDF1D24AABC72E5DF4BFF18E,SHA256=3AB77C22F0B7A4671365F34177C1A8822B75BD5554BCFC4E2CAEA56069E92390,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214845Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:05.780{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-54ED-6116-0207-00000000E701}6232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214844Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:05.780{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214843Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:05.780{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214842Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:05.780{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214841Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:05.780{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214840Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:05.780{079FE16A-269F-6116-0500-00000000E701}412428C:\Windows\system32\csrss.exe{079FE16A-54ED-6116-0207-00000000E701}6232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214839Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:05.780{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-54ED-6116-0207-00000000E701}6232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214838Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:05.781{079FE16A-54ED-6116-0207-00000000E701}6232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000214837Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:02.807{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local64783-true0:0:0:0:0:0:0:1win-dc-414.attackrange.local389ldap 354300x8000000000000000214836Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:02.807{079FE16A-26AF-6116-2900-00000000E701}2980C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local64783-true0:0:0:0:0:0:0:1win-dc-414.attackrange.local389ldap 10341000x8000000000000000214835Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:05.349{079FE16A-54ED-6116-0107-00000000E701}22566644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214834Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:05.118{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-54ED-6116-0107-00000000E701}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214833Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:05.118{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214832Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:05.118{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214831Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:05.118{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214830Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:05.118{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214829Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:05.118{079FE16A-269F-6116-0500-00000000E701}412428C:\Windows\system32\csrss.exe{079FE16A-54ED-6116-0107-00000000E701}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214828Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:05.118{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-54ED-6116-0107-00000000E701}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214827Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:05.120{079FE16A-54ED-6116-0107-00000000E701}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000161113Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:02.904{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52126-false10.0.1.12-8000- 23542300x8000000000000000214848Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:06.932{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9726C8DD8463FF0D60287ADA3BEEB59E,SHA256=946DB35AB63F276AC2A1CB255B7103BCF5DFD5F97E073331577C42BF31CFFA54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161115Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:06.613{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=580B9E742F887A788DC3D3D5AB67BE03,SHA256=338CCB695ECE2118937508647DB40D155C8CE392EE506DBAAFE16A6EF5143102,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214847Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:06.133{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=102B72B8827C20C0D574405648E8F525,SHA256=9FA5D5DFE504E93F4255B46A01D0A719CAD1165089FADE17C49A7CB6A3E4F4B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214850Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:07.947{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DCBA74E213B85280B4001D5517DD676,SHA256=F628FB92C5809D114F224198581E6883A7025FDE078EC6CD2552A2BB3A14C556,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161116Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:07.613{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9930FA19A0008C81DD7304A00C8A0208,SHA256=F1B0402063FEAD04AC03250DB522B759E1032C8A91D5BA84FD27E209A51DD4B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214849Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:04.358{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64784-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214855Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:08.977{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A404463F04BA4C0B68650D7364C82D00,SHA256=67FA7DF501095DAD905923A3BCE13E914A47B0DBEAE77ED93850FCF17EED4202,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161117Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:08.628{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A46019569ECDA63DB54178093F51F6EF,SHA256=8CBAE3BCC804ED8A466CA13E6DE321F26C3980331BD089F07F50B91D7881153B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214854Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:08.100{079FE16A-2851-6116-BF00-00000000E701}46524744C:\Windows\Explorer.EXE{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8036AEE78A8)|UNKNOWN(FFFFD4A36A2A5B68)|UNKNOWN(FFFFD4A36A2A5CE7)|UNKNOWN(FFFFD4A36A2A0371)|UNKNOWN(FFFFD4A36A2A1D3A)|UNKNOWN(FFFFD4A36A29FFF6)|UNKNOWN(FFFFF8036ABFF103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000214853Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:08.100{079FE16A-2851-6116-BF00-00000000E701}46524744C:\Windows\Explorer.EXE{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8036AEE78A8)|UNKNOWN(FFFFD4A36A2A5B68)|UNKNOWN(FFFFD4A36A2A5CE7)|UNKNOWN(FFFFD4A36A2A0371)|UNKNOWN(FFFFD4A36A2A1D3A)|UNKNOWN(FFFFD4A36A29FFF6)|UNKNOWN(FFFFF8036ABFF103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000214852Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:08.100{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFb4f7f1.TMPMD5=EDE14DC2DA8B62397B99A720E8551D81,SHA256=8959FFAFDBAF3F9DAF8768C11BE6F82CFC93AA32A873EE989535285EE9E5A694,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214851Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:08.078{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\aborted-session-pingMD5=CAEA4F5BD0E545848441AA79CB952B91,SHA256=639DAB59D87158DA6BDEB9DDE7918AB07A27F67F22BC20480D5CF682B4A91651,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161118Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:09.628{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9AD1844F4E41F43C40C9E0E4088A73C,SHA256=DECB5981878061796FCA7F319E492EE79F39F313AB62F648157A5D1381525B91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161120Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:10.628{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61B096E8D8567E80AC7E3FBA95890851,SHA256=9A4D5BACAD6EE39ACBA070D2418271C072CF35953923E3B37732339C33E48D42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214856Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:10.016{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F89C9C41393140062A15D50C3F5A6421,SHA256=4CCFAE979AD1C54CB95890DE862DE66893A2CF907F13FFCE2E75F2604B347944,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161119Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:08.794{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52127-false10.0.1.12-8000- 23542300x8000000000000000161121Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:11.628{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ACC901FE94B7D08C46469F5ED27872D,SHA256=C75986B17413A54C40258AEB1A8202513B5725F20033A98035FFE107D495000E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214857Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:11.045{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B19E2EA0039B8AB45B9788EE49C80467,SHA256=6295F48301B9E614242CCC644A524E25E455906AB285866CDDC3431F441B2331,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161122Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:12.644{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CE1E1524B19430BDEC76F3DF9E7B7F2,SHA256=32362B5A0E7E8EBEED8308DDDF5171A15A9D6EA547B132CFAFD22A647E5FCF5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214859Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:10.170{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64785-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214858Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:12.060{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=862A87184A05B5A7BA875C76494AA4BD,SHA256=292C7A24187856B1B468E6C91A7119662AFFF9E887D62F205698250FC17C1667,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161123Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:13.644{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8BE225CB6D72C42A66982354BF94BA8,SHA256=DDE4ECDC16DEB8179E986AE91888F3B5A49DD56F9B7294A847612886DC1E4402,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214860Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:13.075{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FEA43B3395A59C534A8A86BE8A5674D,SHA256=1D4EBAC3CE9B9031FA0D37C750F816260A929393A4B067D72E6957BF9EBB8A7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161124Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:14.660{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C9A4ADAA57ACA7FD1D7F0D056C4B591,SHA256=9C204B1F8F6E7D9D39A0D8EF7D2C00B48FEB1142F24457C45B17FCF341197D56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214861Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:14.075{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42B2F61521CE16DACECA166EF2E5C6F8,SHA256=2056CE93EC94211A7B9972C74EEF7C37E73DD2E89C4DA35877AB0B298F4343FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161125Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:15.660{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=404755EEA358145304C464D9CD989B65,SHA256=0231912D12D5A30BEC67C0ABF89EF88932AEDF598F7F2A2C35FBEAB7EA05A0B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214862Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:15.075{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4FFCE413A85466972F69B06B4C5B2B7,SHA256=9887CD5EACDD31B3E90F1A66FC0A3EE603872787A34CE906EB880AD94B187F9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161126Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:16.660{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDE3264CE6232764E9B42912510686C0,SHA256=D48EE01326C22E63424A570337900A9A2B85221EBB554B72C981B772FA1E56AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214863Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:16.095{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3640C20D27F7A5C3A60136E1EFFA10FD,SHA256=7FBEE11D8C65F7B797A86C3D40F2DAC2C84A53E39E9A17575071A33A87C038C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161128Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:17.660{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=096FE8E199E4E280A91665B0A7868F69,SHA256=583AF7F311E1B53825A94D941A32CE8AC239EA894C265F055AB3FEB3E24903DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214864Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:17.112{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0159FBFF45C837DE78828280678F5B8,SHA256=5AE69F601F76E631D9A621508CF39EFF2BB2756734281EE965477CE22BA9835B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161127Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:14.810{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52128-false10.0.1.12-8000- 23542300x8000000000000000161129Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:18.660{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7CC40E3FCBE949EFB400B2030AE2684,SHA256=9E6B4802F4DB1A3AEF235A87F6BA2A475E5804460E90329F5D9B780269B67208,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214866Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:16.215{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64786-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214865Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:18.126{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9697EA0F917D605CC94EF250F1301230,SHA256=41FF90530C57120ACCB2DAB122A8700436F26E983FFDCB032A7D866B335B51DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161130Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:19.660{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E17483F49CC0C50D95F8822C970F438,SHA256=64E6A3DE1BBD849B3A3D31F9B2DCC46399A966E6B9F8888130E2158D2BAEA019,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214867Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:19.141{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73F37FCB999C42BA64550121733D3D2C,SHA256=2EC30E7A96A7B3123FA6D5B82FBC9C498F7EEF8FD3AC570E5733D78A95372B92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161131Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:20.660{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE006C8C68EA9A2FE8A6A0D9F3C35A26,SHA256=5599B592CEE3DA0FD81C13D4729924B26FF47B5F37AED48E731381CBBA9DE8AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214868Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:20.156{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC93DF6BB386BF1F987A9B49B92AE75B,SHA256=C5D63481EB02703B0A1BE506996305B2577D8683681FE1476229EC9C3EADF58E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161132Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:21.675{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=206A07968D4412E2F5B0F958D185814D,SHA256=23F5E3A43257D18DB250B44AFDFA323C374B1D26680CE758476BA57388E08447,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214869Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:21.171{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25A5102B1DD6AB57CA80B5A920185428,SHA256=BA9EA6000CBA939ACE15B593F791C9956727648EC15D95ADEEEC3362AB610C8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161133Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:22.675{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42C0335D0AFC59BB006F3B9E4B5B50D9,SHA256=4E3E1C4B5910E41D4393C962403261E9466593162A2D40B4064B149C8B0B2B2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214870Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:22.188{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C9AFEA70699E5487F6D9C28A97EEA37,SHA256=1EF3930C6B8592A6EE182404FC31A108A6C819EC00FED1856D4A0A8BC6A6BE9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161135Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:23.675{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B64A280839905FC041752A61D826A12,SHA256=1BF08FA07C4131F2FD15ED5828EE2526E2AE2ECEA637E0CE0EB8A2259247BA24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214871Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:23.207{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C24F4B4D1D6E458BD9554700BD658C1,SHA256=617B2AC5F436A20708F764BF1DF7B6337B179C05412930DC3783229A1159E9A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161134Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:20.842{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52129-false10.0.1.12-8000- 23542300x8000000000000000161136Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:24.753{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04EA1A7897A78D852BE7BFF28DC78003,SHA256=0C940B1BEEF869286A72EF692D1070DC9899E69FCF3C00E294BCF20161D726B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214873Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:22.210{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64787-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214872Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:24.221{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB6200F7122CAE9340F404901A71629D,SHA256=FC5D3F226F228BF6175927B252FAAAED6330D99BCF48570DAB7BB5616F961B99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161137Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:25.769{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F570E894F399FDC36F26F3324F8001A6,SHA256=6F557B36E73752A9F6BC55AD22E11226B85C322EFF05711F458C31D0F3A84DD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214874Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:25.236{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=763A7F1B3E8FAF689AB920C295476931,SHA256=79D40877F437C68A9F76A0D0D224C522A4056C9B031F3222B2E44DC2D9D0405E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161138Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:26.785{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96B73C01DC636F4774A9851CCC849B4E,SHA256=8091A49014C59A777C1CB10BBB4D5ECD9BA8FC5BFE80C847DA4660F06418CF47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214875Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:26.250{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0025CE4272960B53FA22435D833DDFCA,SHA256=D0C059A818A67FCE3B92F1F66F07A43C2DFF1EE75695AB1ADE5154DBBAA462CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161139Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:27.816{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92B85831340822FCFEF3E554477DFFCA,SHA256=90E93CD7873439845F2E6FA445D38A2E6150699AA3F5EDE4EC7D32D55D459D12,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214878Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:27.733{079FE16A-26A2-6116-0D00-00000000E701}8921116C:\Windows\system32\svchost.exe{079FE16A-539A-6116-D106-00000000E701}2540C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214877Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:27.733{079FE16A-26A2-6116-0D00-00000000E701}8921116C:\Windows\system32\svchost.exe{079FE16A-539A-6116-D106-00000000E701}2540C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000214876Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:27.264{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6A363A361F97D43A7D8909CD3D98C7A,SHA256=5B195E181BD6F0D993BC96DDC80E5C4FCC608BD3D49DE707327216C82C3E6935,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161141Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:25.889{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52130-false10.0.1.12-8000- 23542300x8000000000000000161140Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:28.816{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D13AC366C7C77B9083782AA2CC792404,SHA256=AFF8D817FF869CD82D77A00E88957D48795D9A98B0EDA206813771B5DCC4B419,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214879Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:28.283{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04363F8BBF33C949AFA350505F90FBDB,SHA256=93B403ED9BC0A33242875D4916CC181CBB8092908D5FBAF9049A1350E6592346,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161142Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:29.831{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E54E12E397E8E5C5334F3A89F63694DE,SHA256=F79BBBD79465D1BEEC9BC1FDD51B3D6696F99364D09852234577C0EADFB97771,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214881Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:27.243{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64788-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214880Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:29.316{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E47F36DC0DF79E0E36E9414A05B30664,SHA256=0FFB892E0F1EC3C4336BCC9A85C84F146B1ED821B040A1AA8D9EA1DD194BAE9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161143Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:30.831{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34899E0022E7BFB3DB1DC4DC0B9F5587,SHA256=DABB218F9597E9C8E5CF62542EA95D16A1F3859CB1CF682E79E059BC41EB43ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214882Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:30.382{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D4EBF748F366C12CA0B91F50F4BFEF1,SHA256=86B2745B7DEADD933CF2B4EE248FDBAD190902A6165A971CF475691C599E1D43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161144Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:31.831{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DE9D41AADF31AA8D82CA83D92B59D25,SHA256=3FD403B4FDB5CF64995CE7FF3C8CDC7465A7798D573454E2B7A79E0981977D4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214920Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.679{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D514106C2C95D9462B339393F67FCF1F,SHA256=4977F862D496055FEACA3F4819E1B3419B5B01C0B5FD1F4E405702ACB4A6D0F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214919Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214918Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214917Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214916Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214915Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214914Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214913Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214912Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214911Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214910Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214909Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214908Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214907Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214906Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214905Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214904Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214903Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214902Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214901Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214900Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214899Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214898Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214897Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214896Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214895Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214894Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214893Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214892Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214891Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214890Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214889Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214888Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214887Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214886Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214885Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C100-00000000E701}4956C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214884Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C100-00000000E701}4956C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214883Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:31.062{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C100-00000000E701}4956C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000161145Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:32.831{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA930EDA888C11EE2D20AA552CD703CD,SHA256=7D6D17C01E0D6297D618053447932C4FB1C88919F4B1CACD0E127A5367DF54B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214921Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:32.714{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28DC76227569526CF42B8ED19194B0B7,SHA256=B5C21917B779429B46F5059DF327CF47AC9914F1C5DFF45BE7DF12CE8537A2A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161147Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:31.764{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52131-false10.0.1.12-8000- 23542300x8000000000000000161146Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:33.863{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=815BED63DB6BFFF820EAE1DC1F9F8625,SHA256=2605BA0386648425F55866B767F26FFA891F49A0E8E479065806EEC3441B17D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214922Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:33.728{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78C20537029BD9069B88210A6A5E7DC2,SHA256=FC018050F911678F73CB08FB57FCB23DCFF1CF9E4C765FBA465F14C5FC9F2827,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161148Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:34.878{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFFE9A0889914F211BBB0762772FB467,SHA256=65CF94A377D8746897D6BE74A8436725584617E70F2DB583012F50187203CFD1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214924Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:32.285{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64789-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214923Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:34.743{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=265942110A63EC2761885BDB204FE508,SHA256=D44F443C1D9151A319E033CDE9A927E9106D94CE97E3372B6EEA0DFF129BF26E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161150Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:35.894{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2F7B3201F7704182A58BD0395947B28,SHA256=425FD47616E39264494C4FBD4BE509E0D198EF37A66CD5233FEF29F355F40A0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214925Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:35.778{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66B343FEFB34C1548E3FFEC5C6ED5DB3,SHA256=593C47FBE2871AE82CC2DC704B250C3290F9169476DB1D3F982EBBE832B42DF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161149Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:35.300{C6197713-26A1-6116-1000-00000000E801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=77C724432076DB40D4285CBAB5867874,SHA256=EB3DCBA7AF50F0A7510DA6CBCE1332608391F69337DE3CB262808F1C0B0663EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161151Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:36.972{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73AACC35DF8E5230325992AD64C67597,SHA256=7F02B4F7B874288001A3F08C8FFDDA1408277AD3CA0C2569E22FE83C719FF541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214927Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:36.873{079FE16A-26A2-6116-1100-00000000E701}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=DB7301B2DB28F811A94C84CEA421A9AE,SHA256=1D21D1A99D4D9BEF4237FB91FCCE591243AEB9C0AFBC2CBE79AEFD374067161F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214926Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:36.857{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB6A35E8EE671F667DE666320AD217F2,SHA256=B8969F114496B4B79872D62388052DE9F55E2FE7ED0D5D67FD6C7A4E352907AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161152Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:37.972{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9F3F294E06FF84AD6933DAA0C6A65DE,SHA256=B9C43B25187BCD4AD5D46B754AE7FF59B9B3087B4309318F1BC7F33C5165DA4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214928Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:37.874{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=318FE2B6E5110C6298D527D73B8D5CD4,SHA256=39E2BCCE0F909865165FBFDE04925C94066BC0DDA91B4E51ECCDE37A44DB6CF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161153Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:38.988{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82D730B5C2E3C4A733976D5EEC28D54C,SHA256=554CCFAFE9795C163EFE04D6C59FD506451A6C284ECE2DA0FEEB84DE46C8D9A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214930Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:38.892{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7A16156DB33CA066555B0C4A0EA8B38,SHA256=7D2FD56748D1DF55A467E9BCF961218513418DAF570A5F4A5A762AD6C2926C60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214929Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:38.755{079FE16A-26AF-6116-2700-00000000E701}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=7437DD3B54D1F17730CF8766724DFA6B,SHA256=69C997B67F7E7A6FCA3EA332C25CA817950327E6931C8B821E0C9BBFA52D78A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161155Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:39.988{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FE91BD82FAB60378EA0E7EC3B9E2E8E,SHA256=B8BED75A9D11FBAAD47EEC046F8ED816D4CABC4E89F0A3B819538DB329ADC47A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214933Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:39.923{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CF0AD42E724F2FBBDC6CB3358C45364,SHA256=E764A67CDF49EED1D6A7883E1FE3D9EDC74895C459DB24DBDDE169089BB54A72,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161154Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:36.780{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52132-false10.0.1.12-8000- 354300x8000000000000000214932Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:37.865{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64791-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000214931Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:37.296{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64790-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214934Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:40.953{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2E24E889C603D8605D00FBA2A9E933D,SHA256=1A26E1F7282F0F77D9DFDC74B8C2B61AF5C93522D5EFCF5C7F1520FBFD0994D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214935Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:41.971{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF04B4FC10858EFE4713BB968C8972C5,SHA256=0748896F71A43EC1E0ACB48473D6BAF4C1A046419C8DB9CA3999D173ED2E0844,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161156Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:41.003{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D9232A021497686427C149790EF9B3C,SHA256=69828AC60150D8E00B7AD2B9C45059729381692BE26C9E1687D0D78AF0F07AC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214936Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:42.989{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13E1D6404210F8478B3FA6B4D26C6118,SHA256=10EC72DE7BBCD1673FDE896CFB1C6A064672E38C32B93A4A58169494D9F10A32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161157Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:42.035{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38DA57027CC07FCCB6A37E23F5BED5DB,SHA256=C344CD18485E2915A3138B7A54FE57014FDB7FA3FCBFE67CA1352FDDEC4DFCA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161158Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:43.035{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1A5028E93589EE421D2CA9E6C01ECDE,SHA256=C1A37E385A642A50D7479ACDED0CD673226011AACEE4C1E1391E3FA939E6867A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161159Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:44.081{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A352505A844AE440A1ABAFE37AF74FF3,SHA256=2888D4DAA477D43A1B26E3E36049B8564363CDF22B5E880EFD3D28BDCD16A938,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214937Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:44.019{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9972435B9F3175B728EB822B33F0E4DA,SHA256=86044DC49CCD6E2939C00F1725A8B259425CF4949545AF0AE9B339DDF2C97E04,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161174Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:45.660{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5515-6116-F805-00000000E801}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161173Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:45.660{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161172Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:45.660{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161171Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:45.660{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161170Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:45.660{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161169Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:45.660{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161168Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:45.660{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161167Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:45.660{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161166Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:45.660{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161165Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:45.660{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161164Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:45.660{C6197713-26A0-6116-0500-00000000E801}412428C:\Windows\system32\csrss.exe{C6197713-5515-6116-F805-00000000E801}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161163Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:45.660{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5515-6116-F805-00000000E801}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161162Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:45.660{C6197713-5515-6116-F805-00000000E801}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000161161Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:41.811{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52133-false10.0.1.12-8000- 23542300x8000000000000000161160Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:45.191{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CF487E4EACEB15F5BF1CCE04D1E258C,SHA256=47D9881DF2B384625A32BF2D6D220B0250B91F5DD4BCD7E6DCB62A1999A5B791,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214938Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:45.034{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9B6B8ED835C45C624E462A90ED0C09B,SHA256=351D765EAEE006E497295293E14097ADF3F8DD9FF661FAAD446AF369DFA2A2AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214940Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:43.313{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64792-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214939Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:46.051{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABB3804AA93DD088C575C3E3777D2101,SHA256=91E2B7CD72B99E5A5EDD41492DEC7F8A2BD507250005FDDD5FCCE8FF315E3BFE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161203Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.831{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5516-6116-FA05-00000000E801}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161202Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.831{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161201Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.831{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161200Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.831{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161199Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.831{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161198Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.831{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161197Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.831{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161196Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.831{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161195Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.831{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161194Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.831{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161193Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.831{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-5516-6116-FA05-00000000E801}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161192Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.831{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5516-6116-FA05-00000000E801}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161191Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.832{C6197713-5516-6116-FA05-00000000E801}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161190Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.660{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DCDDCB701817884A6F324D2BE14DE428,SHA256=FCAB3388C0E90A6614F615CEE628883F2E5812B9DD0DDF34BFF548A623BBE8AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161189Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.660{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B88F6A41A09DC029F29D84DBA71DCE4,SHA256=E2DC4EC9FA60C8E684B892A33AB8F68937687E7D2829F8C3437D429CF6D3E493,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161188Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.331{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5516-6116-F905-00000000E801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161187Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.331{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161186Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.331{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161185Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.331{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161184Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.331{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161183Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.331{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161182Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.331{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161181Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.331{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161180Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.331{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161179Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.331{C6197713-26A0-6116-0500-00000000E801}412528C:\Windows\system32\csrss.exe{C6197713-5516-6116-F905-00000000E801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161178Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.331{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161177Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.331{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5516-6116-F905-00000000E801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161176Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.332{C6197713-5516-6116-F905-00000000E801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161175Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.191{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE09979F5001B1E1B63D1FD9EE852E80,SHA256=B20DEC31E6214D3F0CC7BB09936274D6A6C5B1B6F9911DAA4AF19C7949C14558,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214941Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:47.073{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B455695F963A1126CEA95603F4F09BA,SHA256=E5E63C109A52A3EA1887AE0643B6FE9D659BC2257FC12D17FB66B8C2C0954101,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161206Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:47.910{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DCDDCB701817884A6F324D2BE14DE428,SHA256=FCAB3388C0E90A6614F615CEE628883F2E5812B9DD0DDF34BFF548A623BBE8AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161205Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:47.300{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03C73067F487C94B785D2BEFE2EAE434,SHA256=CE1DB5AD3E1F99027E97D8ECD52EBD3D7E8B1E55EF64DCCFD62D1FADB55A58F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161204Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.988{C6197713-5516-6116-FA05-00000000E801}9283944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161236Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.988{C6197713-5518-6116-FC05-00000000E801}3256416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161235Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.785{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5518-6116-FC05-00000000E801}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161234Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.785{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161233Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.785{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161232Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.785{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-5518-6116-FC05-00000000E801}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161231Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.785{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161230Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.785{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161229Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.785{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161228Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.785{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161227Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.785{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161226Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.785{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5518-6116-FC05-00000000E801}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161225Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.785{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161224Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.785{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161223Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.786{C6197713-5518-6116-FC05-00000000E801}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000161222Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.503{C6197713-5518-6116-FB05-00000000E801}3488348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000161221Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.316{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FABE4C81A85401AA7C1A19949E5E77F,SHA256=DA44C3A89E6EF75763EA7CE3B0FD7E9DF87DD57A41598DB87CEA89838C775B0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161220Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.316{C6197713-26A2-6116-1D00-00000000E801}1892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=7437DD3B54D1F17730CF8766724DFA6B,SHA256=69C997B67F7E7A6FCA3EA332C25CA817950327E6931C8B821E0C9BBFA52D78A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214944Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:48.422{079FE16A-26A2-6116-0D00-00000000E701}8921116C:\Windows\system32\svchost.exe{079FE16A-26A2-6116-1600-00000000E701}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214943Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:48.422{079FE16A-26A2-6116-0D00-00000000E701}8921116C:\Windows\system32\svchost.exe{079FE16A-539A-6116-D106-00000000E701}2540C:\Users\Administrator\Downloads\ProcessMonitor\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000214942Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:48.091{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBB4DACD73AFDA45B415B0EBD6CA8E42,SHA256=9BE69240F05A7724509024E0B6DD7DA2D5988947343CF484A725933B2650A93C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161219Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.285{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5518-6116-FB05-00000000E801}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161218Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.285{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161217Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.285{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161216Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.285{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161215Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.285{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161214Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.285{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161213Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.285{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161212Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.285{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161211Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.285{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161210Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.285{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161209Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.285{C6197713-26A0-6116-0500-00000000E801}412528C:\Windows\system32\csrss.exe{C6197713-5518-6116-FB05-00000000E801}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161208Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.285{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5518-6116-FB05-00000000E801}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161207Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:48.285{C6197713-5518-6116-FB05-00000000E801}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000161253Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:49.613{C6197713-5519-6116-FD05-00000000E801}32161736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161252Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:49.456{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5519-6116-FD05-00000000E801}3216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161251Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:49.456{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161250Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:49.456{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161249Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:49.456{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161248Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:49.456{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161247Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:49.456{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161246Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:49.456{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161245Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:49.456{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161244Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:49.456{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161243Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:49.456{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161242Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:49.456{C6197713-26A0-6116-0500-00000000E801}412528C:\Windows\system32\csrss.exe{C6197713-5519-6116-FD05-00000000E801}3216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161241Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:49.456{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5519-6116-FD05-00000000E801}3216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161240Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:49.457{C6197713-5519-6116-FD05-00000000E801}3216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161239Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:49.363{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1549F7F3CEDC829EE7F88505A26D8F9,SHA256=AD1DA80A9F6E1DC1B6550B519E32992C7326511D2A18BD714908566943A1E293,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214945Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:49.121{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E00B2AE380EB819BC5FBC802E2C1107,SHA256=991B49C21C3EB65EC5AF0C61F3D079A714A6C997A7E0986671A895D1E07E3BD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161238Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:49.300{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=087A5E671486F8B6284F84C0704D4C9B,SHA256=A8B4903E1578E9983E747BEE82F3400982DC87DCFB7D4C0B73923C4836D6C365,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161237Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:46.920{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52134-false10.0.1.12-8000- 23542300x8000000000000000161269Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:50.910{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04BEA1AECEA3138D036CF7AB680516CA,SHA256=3E93244045C73F2959ACA5F0A7B211FB54F71D41ED48BF0C5BF335B260EAAAE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161268Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:50.910{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A1F35820D4344AB24473A201EB6D8F4,SHA256=C40590A54F1538BEF3CB060AFF415612B2D827C01C50FD70CC65DE9C78C59A70,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161267Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:47.967{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52135-false10.0.1.12-8089- 23542300x8000000000000000214946Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:50.171{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AB9C9EAC1ADB71146B657CEABB13C9F,SHA256=F8A83514C9A95DA909878BC8C91F871AA478434C2679A3B07BA624A8F4C65B47,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161266Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:50.128{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-551A-6116-FE05-00000000E801}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161265Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:50.128{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161264Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:50.128{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161263Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:50.128{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161262Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:50.128{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161261Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:50.128{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161260Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:50.128{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161259Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:50.128{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161258Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:50.128{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161257Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:50.128{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161256Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:50.128{C6197713-26A0-6116-0500-00000000E801}412528C:\Windows\system32\csrss.exe{C6197713-551A-6116-FE05-00000000E801}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161255Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:50.128{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-551A-6116-FE05-00000000E801}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161254Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:50.129{C6197713-551A-6116-FE05-00000000E801}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161270Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:51.597{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB75CC560AEC513131FF3A24B8A16016,SHA256=2CBAA712BD785842C54BB131CA4328E425851E5435C5ADFDD863038939BBC4B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214947Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:51.189{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=921B03EF93CE0F1503C915F6E8BC93B1,SHA256=F3E2A91498D9B0ABDDC3836955D38837010FB24B0DE14D2A403181157CFF8AB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161271Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:52.646{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33DD01740629AE907283779622E81E3E,SHA256=951068A30EA2D4245F2B86897961C236B37435475058F2DF988DAF179234F450,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214949Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:49.331{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64793-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214948Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:52.203{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB11E9386FE139B717914470096780D5,SHA256=0D97509EB43FCD8CE7BC2705C305F654CA788A3376A6F7B3B87C3B56CA701999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161272Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:53.659{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEB2E8FB27B1E75C25C52D58CAD3614C,SHA256=0CE94BF34DA68ECACD428F02DC4CBEC5F512ECD7CDC1D5BA556ED393E4143EAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214950Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:53.218{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC55B5DEB8541D5A776785CBD3E8CCCA,SHA256=A05C76B7A70CF628853CA23F634B92E349683970A0DEC8117799ECB3685C9FEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161274Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:54.662{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A6546BB98415F22F70B52EB77B80A17,SHA256=FC78F970144EE080AF49A85AA16FC95F34D5A0D9C110CD46A4A37E46B2EC217D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161273Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:52.733{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52136-false10.0.1.12-8000- 23542300x8000000000000000214951Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:54.248{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B12C0C0D5FFD80251F9B6D2661EE95E3,SHA256=6573FF4E999176348B66257AEF303AE77EF5356C9B67217284D60428E0CC9E44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161275Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:55.662{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96DFD377E9D47C1419A1669D9B0CBCB9,SHA256=3A60786ABC7B244E3CA2DB6D18FCE6A121CFE776D454E0CD3CABAAE40BB64CB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214952Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:55.248{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A9331799BBEEA40D59EC39DA728A09D,SHA256=ADF223899CCDBA8355AD853098F4939F2976345D58049C0FF40D7F0DD227EBCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161276Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:56.662{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AAFC3776E5974C8AC3EEAAA4AA21FBD,SHA256=42FFB8C4F5A81DFB439281E372D140AC1F5FC85987E697CAB5F1E2752921D1AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214954Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:56.647{079FE16A-26A2-6116-0D00-00000000E701}8921116C:\Windows\system32\svchost.exe{079FE16A-26A2-6116-1600-00000000E701}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000214953Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:56.266{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52E9F349F5266285EE9CB8454CF613E5,SHA256=37F229FA6FC11CD671F222156B92E9AA5670A5D47174D620D796739BA1D72801,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161277Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:57.662{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B152110491FEB93901F0972A4273B282,SHA256=966861E57131CC1328B0667F3855C8291CEF947419637EEA698707DAEBD856D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214956Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:54.373{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64794-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214955Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:57.300{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37DBBB1F2310DF3F373993DE85FE896A,SHA256=C319DD53B7F3A6C4C4DAE8CF4CD184D375566F87793D40CFBAA7D69636134506,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161278Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:58.662{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A784A9E75943E11478739163FE804B8C,SHA256=BF716F9A04F398F96EF586A618D0250E0AB13A554A2C8567AED1A593E3CCEE45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214957Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:58.314{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55FFA3A7DF0A9101B3052010FB497174,SHA256=D183EB37D68667FBA122A2C9256B47B1C2D126CE0FA500C1DE0351F1A2674A4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161279Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:59.662{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69EF5378DB479DC16DE633F11982C530,SHA256=807C2229A6A5C39FCFD70C5A63089278FCED27B1F9C6AA630DC49ECB7A5E4601,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214966Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:59.766{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5523-6116-0307-00000000E701}4380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214965Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:59.764{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214964Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:59.764{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214963Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:59.764{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214962Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:59.764{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214961Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:59.764{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-5523-6116-0307-00000000E701}4380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214960Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:59.763{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5523-6116-0307-00000000E701}4380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214959Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:59.762{079FE16A-5523-6116-0307-00000000E701}4380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214958Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:18:59.329{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CD13F5023A7832C934392DA793E30A6,SHA256=E454F887E3A4249B54E5567D170B314E310877B8209ACC1AA73CE873E85D5DE0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161281Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:18:58.767{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52137-false10.0.1.12-8000- 23542300x8000000000000000161280Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:00.693{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C826DEA6D195CED0CA58AA59B80A6638,SHA256=D1A33CE54FE6F0ADE239E7B23D868975EF0DF83104B6DED0AE6A317CE18E6FF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214978Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:00.771{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C25D9D777808EDF7E8746AD16DADCFE9,SHA256=7A49CA2B5F835D0307F09E253508244436A3FC9EBB2EBC37DB5E9FAA867559AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214977Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:00.771{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03889430E4E9041C3BFFBF86DC6DB76A,SHA256=CDCB5FEB50C1A21C2B2213EDF966C2B19E3F3CFC15D78FAA7331F40238F221B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214976Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:00.423{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5524-6116-0407-00000000E701}6372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214975Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:00.423{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214974Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:00.423{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214973Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:00.423{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214972Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:00.423{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214971Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:00.423{079FE16A-269F-6116-0500-00000000E701}412428C:\Windows\system32\csrss.exe{079FE16A-5524-6116-0407-00000000E701}6372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214970Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:00.423{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5524-6116-0407-00000000E701}6372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214969Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:00.424{079FE16A-5524-6116-0407-00000000E701}6372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214968Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:00.354{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DBAD051309AA5606AE7B83B01A4D7A8,SHA256=5D9D5E2726F5144C766AC766FB377FEF0E04CC13CE39A8EDC6EB2745B336B0B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214967Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:00.078{079FE16A-5523-6116-0307-00000000E701}43806744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000161282Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:01.693{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08618CBE7C6F193E635A4F7DA468372C,SHA256=B8EDAD51A85F0D37C814E1C5E8DC2C62D063AD973103A79A9FDD57FB4560A07B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214987Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:01.370{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69D41C34F35F8A086BB4CA19842BBB7F,SHA256=9E8E37CE1B9D8C35FDCE9E1D8A3F06895B87D0245D1F51C53B574D90F1359280,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214986Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:01.093{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5525-6116-0507-00000000E701}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214985Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:01.092{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214984Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:01.092{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214983Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:01.092{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214982Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:01.092{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214981Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:01.089{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-5525-6116-0507-00000000E701}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214980Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:01.089{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5525-6116-0507-00000000E701}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214979Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:01.088{079FE16A-5525-6116-0507-00000000E701}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161283Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:02.693{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=825AFFF2A60E7B30A52574F9AFC07896,SHA256=355FA460B95C1F3FA4B26BD95BCAD99C1CDEE03CA70E3248E518E7E5C706B540,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000214990Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:00.133{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64795-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000214989Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:02.388{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35122A1BD202B16DBB713FEF0E00D31C,SHA256=22F1F1CF4CB1FE7EECB388AB02E03491C5BB32E07C98B5CE0106C5E76577EAC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000214988Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:02.107{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C25D9D777808EDF7E8746AD16DADCFE9,SHA256=7A49CA2B5F835D0307F09E253508244436A3FC9EBB2EBC37DB5E9FAA867559AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161284Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:03.740{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAE3EA24409BC4EFEA4C9715FED2608A,SHA256=A70E96714EA60EA6D5A6188D445D235F2667F4810B17D5FA28F0A2FA57164AD3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000214999Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:03.753{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5527-6116-0607-00000000E701}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214998Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:03.753{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214997Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:03.753{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214996Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:03.753{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214995Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:03.753{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000214994Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:03.753{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-5527-6116-0607-00000000E701}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214993Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:03.753{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5527-6116-0607-00000000E701}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000214992Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:03.754{079FE16A-5527-6116-0607-00000000E701}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000214991Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:03.421{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAA96471D7CE3C64D9F05CF8C1C212C9,SHA256=CAFABEE41EDB3F5FD4AD4D583134D13B380B2EB7E63445352DC326241FBB1B65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161285Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:04.755{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3613A9AEB8C9703F3F76BAD2439E7D8,SHA256=45C22F72FFB2B821EF7837479D543F6F117C81911CC82AFA591656FB091565F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215011Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:04.707{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCB3E7B88CC8A2E562C40F97DE82173E,SHA256=52314C7452A5250D167108B561E38EF823923A49FCBC1E8563B1C8F1C0C69339,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215010Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:04.591{079FE16A-5528-6116-0707-00000000E701}12326588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000215009Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:04.439{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8029AFE40923DB7004C41D3ECE183D0,SHA256=BDEEB5B5691A6934F5DB88798FDD883DE4CB0FE221001CF962A35292AFCF166D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215008Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:04.254{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5528-6116-0707-00000000E701}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215007Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:04.254{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215006Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:04.254{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215005Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:04.254{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215004Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:04.254{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215003Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:04.254{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-5528-6116-0707-00000000E701}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215002Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:04.254{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5528-6116-0707-00000000E701}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215001Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:04.256{079FE16A-5528-6116-0707-00000000E701}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000215000Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:04.023{079FE16A-5527-6116-0607-00000000E701}71446240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000161286Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:05.755{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE9553E15E0E6238B11B82C826671310,SHA256=683FE629AAC69726879E86FD0E12202A165E31FC0506DD948B5C51B0BA246BC0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215031Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:05.968{079FE16A-5529-6116-0907-00000000E701}11046400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215030Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:05.790{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5529-6116-0907-00000000E701}1104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215029Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:05.788{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215028Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:05.788{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215027Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:05.787{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215026Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:05.787{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215025Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:05.787{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-5529-6116-0907-00000000E701}1104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215024Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:05.787{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5529-6116-0907-00000000E701}1104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215023Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:05.785{079FE16A-5529-6116-0907-00000000E701}1104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000215022Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:02.810{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local64796-true0:0:0:0:0:0:0:1win-dc-414.attackrange.local389ldap 354300x8000000000000000215021Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:02.810{079FE16A-26AF-6116-2900-00000000E701}2980C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local64796-true0:0:0:0:0:0:0:1win-dc-414.attackrange.local389ldap 23542300x8000000000000000215020Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:05.453{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22F9816E7EF8AD26F053C705C73BC0F2,SHA256=40843B0F8E0D7A68CA2777034C394F220A262DC9872B97288315F588765BE597,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215019Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:05.122{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5529-6116-0807-00000000E701}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215018Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:05.122{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215017Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:05.122{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215016Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:05.122{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215015Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:05.122{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215014Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:05.122{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-5529-6116-0807-00000000E701}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215013Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:05.122{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5529-6116-0807-00000000E701}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215012Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:05.124{079FE16A-5529-6116-0807-00000000E701}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161287Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:06.755{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8C795C7C48A2C81B71419B9E8E237B9,SHA256=37F067BA5421BFCF2F7B6ECD99BF879C502E3D22F2FC1A07DBA61F361DEE2CEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215033Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:06.468{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F436691BD085A0396A7302EC900F2715,SHA256=EEA014C8E0A72F0AD97CD388AF37B0EE01807F7FB2DF8F99F4BDA88C87426532,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215032Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:06.137{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB1F11AD4C7B158FFD88217F21BFEC3C,SHA256=5E9B0757BD29DE42AA830C5C149D381717932563D7EDA2F862A8CA8C1B627EB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161289Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:07.755{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00DC89E04A4BF514D79ED82AA3616D69,SHA256=9A17AD4AFD3D991E6921F394958A2E3ECE93960437B66A4369C50E641DEA3DC4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215035Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:05.231{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64797-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215034Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:07.487{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2321087506B5EB936FFA67AB66711BDF,SHA256=9F9B0805162005045949208BE039E25B00F3CD1E34178433BA6C4EC6746FE1D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161288Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:03.829{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52138-false10.0.1.12-8000- 23542300x8000000000000000161290Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:08.771{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAEE4CA5657DCBB00C756380E7CAA1A3,SHA256=C13175DE298CAADBC6A46569C2000F2CD8809CB9280DDB09DCCD77EA503FA755,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215036Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:08.521{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0C5706BF9226EB7D78C8DC2ECB88C11,SHA256=EAC4FB5D13863B96BBB29DACDB1391CA6C1EF55BB9F8F56A3F0FE299BAC5144C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161291Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:09.771{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03956DA380E66633E2F06F8C948A2FB8,SHA256=EA38549FFB61B8B4435D79CF830CF0D44F8660B900E5826DDCACA99D64AF65C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215037Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:09.535{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E295983095B9E9389DD9BE3650EB82C3,SHA256=D43E9FCDFE8F12FDF5745150F0E70401B8DAF5CDFD6598270758403C23914408,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161292Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:10.802{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42A40231B412E073380ACB8349401F17,SHA256=E49E520C20B9FF15E28C823496A65FD752063E7981F36A784284A431A0AF0298,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215038Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:10.550{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83D927DFFCFFB39C9CA3FF76D96F7450,SHA256=0D4D907A450BEC6F61C66BAD126C1B0E5E2C51E9A782DC105B8BF3E70B4FA8C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161294Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:09.735{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52139-false10.0.1.12-8000- 23542300x8000000000000000161293Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:11.802{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61C794325FA882207A077D6487F3D397,SHA256=BBF4D8D1717B917C548CE76A3DCB8CAEFE6854BC903BCE232549E9EA593AD696,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215039Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:11.565{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BA52355094A32ED94C26BC70B237828,SHA256=1277D7F7A96D7E4F4E5361A9C1797BEFE66924D2E782071A66D787433770CDB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161295Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:12.802{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=313B2033074BA41ABC5A8F7BD09E2380,SHA256=B51DAA2416DDB73A8CCB59175B5AA0268CDD80A03886497733A46A9A402256A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215041Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:12.583{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28E6A8E933AA7945F64B582CAA8EBE1F,SHA256=C68281ECF2F7CA8F11BE4615F64F4BC03990701157667A31D29125921D08B94A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215040Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:10.244{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64798-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000161296Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:13.802{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3DC204E5B9B704EF54ED4179B4B809A,SHA256=9DDC794560321AD4D608EDA9ED1FF79ABAED2F8A3A34493804667CCE794D0F7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215048Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:13.601{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0FB08C459DE73635FDB0C66E172F164,SHA256=CD44BA467E246C175EB9288D4B9134DD1A72C6864B32266DE0E4968612301B3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215047Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:13.386{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=2A7463461396EE1815D1DE9995FDD1B2,SHA256=401B234A10E9C1D95E9467A5F665F5B8E2E091F344855B4A1DD6FE5BEED13E01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215046Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:13.386{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=E70B45A44A0A7F49B1CCB7324A022943,SHA256=2611E3523DB8493CDB1F81CD3228A3251E21974FF1A82D166EE870EAAD9052BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215045Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:13.386{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=86576348277C1BBDF1680E89E63BECBB,SHA256=C8247AF8D3FCFCB2D66BDAEC3BBDED3A431ED0C5B86374E3A3D5FD55918A3FA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215044Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:13.386{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=825AB2B88FA302E2512A6EE7FD0D42FC,SHA256=AB481D7A07AD3B9D0D25B063668DB67306D8CEAF07A96F4D8D6D9D590AADD73B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215043Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:13.385{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=A76C9F86290BB560CCA66EB9A556D801,SHA256=123961946ABCFE04845461C04C127A819A570BD56D4C7A98A110DA5B327975BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215042Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:13.382{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=B724B9AFBBC25326B77C4E81974BB1F5,SHA256=F5B5092F301FCE9D3D43638B302B8E25DE0825FF8890953960E122355E8AC153,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161297Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:14.849{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81B52959EE18ACD0C2A615487ACD7BFA,SHA256=C88D07ADB12DB69A564B7E4AAA29833FADC912DC23803C4FB0ADE96BC2C42B02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215049Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:14.616{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C11EA811F278C3CC886BC4E9D86AE935,SHA256=F6C86F119EA239A2D1A8EEF567A8536E265A83B9E2B04A534383CC8E006C639A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161298Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:15.849{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DA451D6205ACB90E5F1C91277A49E1D,SHA256=84E1A8539FBAABFC3BCEE348682CC32C4945B974DAC075458EDB067368C715F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215050Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:15.647{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1B7052C77F62F2AE9235B2F18DF133C,SHA256=C1FC3BC53D675D5FAD3E2988410211B4F0E2E5AADE970E07A94B0E3988C8F689,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161299Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:16.880{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13EA8FC18D032BCAC216DBA826E3C54A,SHA256=6D4225F650551AED112069D42B93EFBB0DE3D53FB10687CAB3746268500A550A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215051Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:16.661{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86E65188DC889013CCDAB9854B7B5E53,SHA256=D4DE066DF0DF7AC83D251112A762BC3E14BC8377F897130688BB01769871E2AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161301Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:17.974{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F52DFCF807ED065909A76B2F8209DC3,SHA256=23403E25E648543E4A23A59CE693658B70DC8E33EC3999F5E4E14F20D7B5CB02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215052Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:17.682{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BA0FAEFBE65E52B072570626D1534FA,SHA256=6AC76643228AED05491C231B953E04B5E2FD8D9669454A0B0D5630DB3C87AC70,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161300Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:14.770{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52140-false10.0.1.12-8000- 354300x8000000000000000215054Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:15.287{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64799-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215053Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:18.697{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78C3C5CF4EEEC8EA10C69CF69ED64509,SHA256=98CDFA03E9A18496754F56561B25DDB9DB33F8C2302F6C7C62B6CDBF44009CF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215055Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:19.728{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEAA9002B7AA84398AD23F23C76F5926,SHA256=D1F36C32B54820F4C5778F575CD5CB6E74019BAF9584712060CBA06824D8205C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161302Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:19.021{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A91A09DFA762E2513C3543D55AF57EB5,SHA256=DA6824ECC7887AB79E56B03E91D4CBFEABFC8DC2E7E21D40F6387FFB0E691EFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215056Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:20.759{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4E1F17DD6D107BD8EA292A3EDC614E6,SHA256=FA5F12C0825AF9DC5E0FF1A12EE4E7F5FD00B91E1C4141DA95FA47E536425348,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161303Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:20.084{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E86D23A5F788A3062547B2DFA65640A,SHA256=3CCDB1E35D84AD1A055B80ADBD079040472C8B5D92FF7711DAAAFD57A8D9B758,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215057Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:21.778{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFADFE40B7CC983712049131272B1B4A,SHA256=8B4EDF86D630DDBEA83CC857C9F65555986A7784CC8CCEBC3855405BC2370893,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161304Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:21.115{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3A0751F6AB248406984052B56BD47BE,SHA256=9118FBADC13C43E6245205DABA82E3B0773209B500D62A2BA94BE9592F54B383,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215058Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:22.795{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C89952042C678F6507466EDDAE6C9F7A,SHA256=1859D2772D15AA7D02AF855A6C74698CB4572F3B033D564EDB632909B6CA0BD6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161306Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:19.798{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52141-false10.0.1.12-8000- 23542300x8000000000000000161305Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:22.115{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A00E14BFC916661C57EA4F14E778EB6C,SHA256=1DBA622BF0701B3CEF6F4AE4478291320C059C8FA516AEEB7E075834744309E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215060Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:21.220{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64800-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215059Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:23.809{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60F8EE18909B674B5736698AD2BA0AEE,SHA256=E663652637C3C885DC640E82E28D3F4C53D498A6F156132C3393DBE4ECCDDE2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161307Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:23.115{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18E70806D0F3FDACC490DF7F9FD74E69,SHA256=FDCF6C9D4ADBF1D933B172550D8C19D770C5603BF4CDA99F23BCBD025343B7D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215061Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:24.824{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B38BFDB274FA79D563AF64BEDD1AB7D8,SHA256=B18FA485EB817AF9814A3EDC7BC05E17133006D51383AC1FE4D978368FAB03C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161308Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:24.130{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAECB27B970217D95B7308DB4EFAEB41,SHA256=1EDF91FC2063A92BB1311B5DCBEF626255F11C4035CEF6729271924C006463ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215062Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:25.839{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CDFCB25FA4474A900E3C8A31D416B67,SHA256=BBA26B039F0A716AC867D99A90300FDB6AF033F65787BFD21ED3413166EA4A75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161309Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:25.130{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CA494CA5CF8B65DBAB44A392B001147,SHA256=293745BCC2E7CD42E2EC68130B68683A1FB6C53282725AA9D03565C8C1323166,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215063Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:26.854{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=152DFC1CC6F4A8343A5E1286F96139A5,SHA256=1E33B906222F0EA7AB565FD2300633122954CDBACC8F489A3128892BD75866BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161310Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:26.162{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3AE766FFE85475C4946AC7D34CFA13B,SHA256=65A85CA706E64B1A5731C13D031FCBD44E431273AB13D6A69D32DD4E235A6154,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215066Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:27.890{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E5B506DB746CE301735F0AC0E08E0F7,SHA256=ADDDC5B102C2B5F50F5D5BC7FD22BBFDE2BDF5909D049E133257C3B1E42BF612,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161311Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:27.162{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=775D760F1F3449160C8F5C514433863D,SHA256=4177630852F5284CB70A25986195144CB78ABE9FDC0DBD6C251B2CD79638560D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215065Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:27.522{079FE16A-26A2-6116-0D00-00000000E701}8921116C:\Windows\system32\svchost.exe{079FE16A-26A2-6116-1600-00000000E701}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215064Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:27.522{079FE16A-26A2-6116-0D00-00000000E701}8921116C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2600-00000000E701}2928C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000215073Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:28.905{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BD06F7343A279837279667288338F2D,SHA256=6837ACC71FD90054EB293A18229197EA6F723DCB0D72829A0AEDCF535AD6E465,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161313Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:25.845{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52142-false10.0.1.12-8000- 23542300x8000000000000000161312Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:28.177{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8B836B56FF425F11990B7D3C7DAAB00,SHA256=B04D9320593519BAA777D2363EC67A6A6415606FE726F1F550CBE280D4DF4637,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215072Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:28.421{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=4AB053D8ABAEB4C61EBE9D8C0905F16A,SHA256=9A794ACCB3E9E1D2881DEFC2A4B20C3DE3EFAE8B20584476A5F9B904B6CDB330,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215071Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:28.421{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=FB35A4D3E2DF2425AD2A4B2CA379E54F,SHA256=44944C7B76E1DC85078C97875E8786FDB86F87F4EB223E5A7D91EE0D0960E1B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215070Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:28.421{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=CB5B8D1E704B2991D58D08CA10435AFF,SHA256=B4C6AB6FAF40A9BA5861CE6FD895D27D04BFC538DB6090BFB543CF1C3C967884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215069Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:28.421{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=29B378B88A65340A109D3F257425E858,SHA256=E05B8D4BD1B4522416B08BE18746A1351D95F3813C8C5061B2A51901BFC831A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215068Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:28.421{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=D8CB20734C6D19D5B7C04C0B3B846ED8,SHA256=A037A514777E12A8787C4E952A034995899DB94CDF06346F22403A123F5C868D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215067Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:28.421{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=B9552895616D12B3BEAE3E729F47D2FA,SHA256=929F258930F8531CE505BFB4B791B5AD51C371AA6870DED76C2D6DEF58F1C54A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215075Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:29.920{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C4239D9780FACFD9EBA9AC34B7EF5FD,SHA256=2650F4B531A028907F816B5C8D009F796F19F9B2DD0976BCFD00D841A5FAA501,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215074Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:27.246{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64801-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000161314Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:29.193{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2854A32CA353B659E45FDF6C24C282F4,SHA256=A10CD136116D465F62E380F3F0CC11A43EDC98A53A0B963AF45150ABDE4AA4CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215076Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:30.934{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF864155ECD5855D0EA8C261E6F75BBC,SHA256=B1B1895E2F3630BE33C932957F2621511D9BF04655CB0D09B21ECDACD2ACDD42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161315Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:30.193{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DF281CD4F07B27426460DBA826507D4,SHA256=D902EB4D339064627BA68B25F3D53E3A5F8AE9847076B78F4D4AF747F5D65382,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215077Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:31.949{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CC035F02C3A7E7B60BE1B35D0518A04,SHA256=17E8814797F478BECAC3151961DF975704102DF8CA5F650D62BB784F00493477,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161316Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:31.209{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AAEB05C26ACDB578C6DCDE21B25CD99,SHA256=4C303A6177B7BDEE9F2A1700B0C025241C9AA744D4544D05A91A0EEEBFAF3428,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215078Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:32.966{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4EAD0E45070EFF0526BA13937A67F80,SHA256=679B5BE17BC16B606807D18E8D520F7989DE69001F420ECD9D81C33504D29708,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161317Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:32.255{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9B465A972FE16791E49E9CF177AAA1E,SHA256=40A9565B7AC63424410E660CB20088B17FD0B8F2B42864BFB7DD2040EDBEBD9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215079Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:33.984{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B555D946596E0496CE1DD290DFF25AA,SHA256=2F4E82D68A6EBA04B63870AA4A47755E0963986DFC5F840C5995BC51A9A3FFD2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161319Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:30.908{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52143-false10.0.1.12-8000- 23542300x8000000000000000161318Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:33.255{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FE48F4C68FB70DABD47822A01E4E71F,SHA256=F740E702939712A63E57336B0979EC0EB85ACF98B1D7EFA8059692C3AFB534D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161320Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:34.255{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01DA4CA1F832E09777581C6F733A8E5C,SHA256=30D67D72A62ED58C4C623F06159822EA61CF28B9F08D1F0D26E8D953AB873F54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215080Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:34.999{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97EB3A5CCB891450FC5D4D5C34E40ACB,SHA256=BD60C79DBD1FC6BA082C686C87D8636582B2229B66378DC6622E4E22D7D00A9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161322Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:35.302{C6197713-26A1-6116-1000-00000000E801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=044178DC3CCD2F5935637BDE94FC6723,SHA256=E47235052D2691313571F5FAB38C837ADB0633D1CE87FD151CA249F8E109C170,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161321Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:35.287{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F8EBC815B697BAA972650258661589A,SHA256=1039CC000FA77E56820BD0A3635C3DD92EED6A50D91C4CCAB2DB35FA4762BA88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161323Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:36.287{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2335241D028261DA22CC4E02102D1AB,SHA256=12D61F9173CB7AEDA7C750BCCE40EBAA75F538FCC5DA63E6BD45D4EE786E0BB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215083Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:36.882{079FE16A-26A2-6116-1100-00000000E701}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6AD76AA11415D693F92A82CA88717AAC,SHA256=CEDD68B2AFACE491BF986D4924873F8F2C3CE7397A83371EAFDD89A2ED00C216,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215082Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:33.272{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64802-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215081Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:36.030{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0525C745A47476991A45755FF108338A,SHA256=B006E95E41A445E07D05274FCCF35330111527E55394CDC47D4FD81F832E96C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161324Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:37.287{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D48B0DB8BA1F6AE8311D477910E3CBEA,SHA256=C2748C5943440DC320A958C32B37151FB9E0A2E71A8017FE220E69DE7C9C5A2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215085Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:37.629{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\permissions.sqlite-journalMD5=8CF7A7DA6769D23C478264D99641227F,SHA256=574BEFD8A720F505E798314999F886132D073E1B697DA8AAB7BE3748F28D185E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215084Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:37.045{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D9FD05458B365384EEFB1248F5B5C82,SHA256=608AA1846C0EE5FD7276A69A8BB8A983D24C40459B4DC5E9D8E217B4C1773101,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161325Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:38.287{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E58D07091FBC0CA67CDA7F439AE74E4A,SHA256=C16FE11D7768E6B61FEB754C13F1CE4E00C8C6F35F357D0368B4E8F3006D580E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215087Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:38.782{079FE16A-26AF-6116-2700-00000000E701}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=7437DD3B54D1F17730CF8766724DFA6B,SHA256=69C997B67F7E7A6FCA3EA332C25CA817950327E6931C8B821E0C9BBFA52D78A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215086Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:38.063{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90C7B1BE4B73CF821B495FE93285E6A9,SHA256=4A8E3DE462E564E7CBB867CBC17571127AE449B7520F4380916505DB6DC7ED60,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161327Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:36.751{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52144-false10.0.1.12-8000- 23542300x8000000000000000161326Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:39.287{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBBFFBE0A9E8C799430B35C274236668,SHA256=ADED77FA18CE838835439AA0E02512C758CE61C32265240FA53613C72D43BB7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215088Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:39.082{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE8A83C7F51242D857D1A2FEE044E720,SHA256=360062B7A82A23D559C119C12DE0409E29EC7822B4C8AAB0E40B01BD8F96AE82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161328Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:40.287{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E16A514A5A584AF21FD43F7D3A6DA58,SHA256=42799ECA4999E86A9F568EC40CA6D82806C0225D06D363A6020E1F6D228C5628,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215090Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:37.886{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64803-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000215089Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:40.096{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5BD0AFAE5688C825205DA93BCBEAFE0,SHA256=9155A3DB2781A5ADFD6F00A6DB77E1EC8224B995B6D386E981069A5B72BCDFBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161329Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:41.287{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F735E00FD8071BC4B9D9FA86744AF116,SHA256=36133BBCECFC6385CB19C55173C91C1B983333719D578D53FEE13767A5E9E6DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215092Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:38.391{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64804-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215091Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:41.100{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6431390855F9E4012291DB6E7EBA8DEA,SHA256=02B66604C648EEE09D8C3F78531C41DC9426A722DA848D45A9B65055BCEEB24F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161330Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:42.287{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EDA0F17D073D1F6E350885ED9DC2361,SHA256=81D29418CCB1B00550EBF7C141718C992AC86A8CD7173C9A047775CDD7927F70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215093Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:42.115{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0AF7C33195FF802604FF0BF4D54EF7D,SHA256=EA966001CE96D2DC286722F8B0AEAD30CAEBC340B1DC1C9C58EC0DF59083289B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161331Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:43.287{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE618BB87E222B138BF5F20DC4B73A3F,SHA256=7AEA148B1E0B787004D4AB9700BCD1864C30D77DE21A0E09366282FD9FB863FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215094Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:43.146{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0802B844581DC8DF0D4B7B2A1F7B226,SHA256=E94A9F1BAA6CD07BF10B5344262D192D2C62E4E5708535CFD239A24F3C77AB8E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161333Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:41.877{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52145-false10.0.1.12-8000- 23542300x8000000000000000161332Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:44.287{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=597600463CFE523ECFB6032D94305532,SHA256=A5548B972016FA37E27D1A9D38E278403B4B77C54EC75B3A8CE626D3EE949DBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215095Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:44.163{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E4B31BD711554361EDB6BA97613DD4F,SHA256=CF9A537DA5FC440FD015B89560BF45A626C5D5A9A55E09853986D3753BFCA60F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215096Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:45.181{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F5ED509DE7F200C9B3D4733CC9A954F,SHA256=AF71A632D2715533581FA136E5B4AAAB4A7F1B7F08126CA4A37ADE56071A85E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161347Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:45.646{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5551-6116-FF05-00000000E801}524C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161346Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:45.646{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161345Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:45.646{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161344Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:45.646{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161343Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:45.646{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161342Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:45.646{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161341Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:45.646{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161340Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:45.646{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161339Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:45.646{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161338Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:45.646{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161337Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:45.646{C6197713-26A0-6116-0500-00000000E801}412428C:\Windows\system32\csrss.exe{C6197713-5551-6116-FF05-00000000E801}524C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161336Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:45.646{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5551-6116-FF05-00000000E801}524C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161335Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:45.647{C6197713-5551-6116-FF05-00000000E801}524C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161334Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:45.287{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82B67ACF1E96494C95D0CC4C393EF76A,SHA256=A9FC37CF2BA3A963FD60EB711E8AC050020D31A83D8CB1A9624CC426441E7854,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161376Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:46.990{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5552-6116-0106-00000000E801}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161375Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:46.990{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161374Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:46.990{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161373Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:46.990{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161372Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:46.990{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161371Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:46.990{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161370Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:46.990{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161369Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:46.990{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161368Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:46.990{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161367Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:46.990{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161366Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:46.990{C6197713-26A0-6116-0500-00000000E801}412428C:\Windows\system32\csrss.exe{C6197713-5552-6116-0106-00000000E801}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161365Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:46.990{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5552-6116-0106-00000000E801}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161364Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:46.991{C6197713-5552-6116-0106-00000000E801}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161363Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:46.834{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED2C0E63BCDFB57E7E8880044C3D60B5,SHA256=7DF96B64A994EFEEC3259AA26668A6D00F1B8D6CA0B3EE3343CE65F5C87E7E3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161362Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:46.834{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA248007A3B5F3D0DADC5072EE34EBAA,SHA256=FA6C4BBBCF1F0A935A006F309F2FC46874E572A6CC14A526246FC4D58EEB3809,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161361Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:46.318{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5552-6116-0006-00000000E801}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161360Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:46.318{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161359Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:46.318{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161358Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:46.318{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161357Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:46.318{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161356Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:46.318{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161355Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:46.318{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161354Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:46.318{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161353Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:46.318{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161352Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:46.318{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161351Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:46.318{C6197713-26A0-6116-0500-00000000E801}412528C:\Windows\system32\csrss.exe{C6197713-5552-6116-0006-00000000E801}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161350Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:46.318{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5552-6116-0006-00000000E801}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161349Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:46.319{C6197713-5552-6116-0006-00000000E801}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161348Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:46.302{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=706D03692F1F81AE0ADAEF06482AF33E,SHA256=E072A3A1E9A8B0DFB6F70FB1DA9E86EBDA9E3DCE05D518D18B3169D9A318EBD5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215098Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:44.269{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64805-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215097Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:46.196{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8194A61ADB08184D3228AD55E76114BB,SHA256=0F5C6DE9038669111359DD3180B00A96E6441E3F850FAFD024BFB0E6CBDE9785,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161378Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:47.490{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55A44281DA2E839EED64B6710EC9FF49,SHA256=088FAB1DCFD138773CFAEBF6A18E49327E2470B767E0555FC2054FA5AC8F2D94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215099Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:47.226{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5A533DF95755179510EAA21F0898800,SHA256=4252DBB0E39C841B5AE4A721439B5CF67EFCE21B0869B899E907C8F36CB0E3C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161377Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:47.209{C6197713-5552-6116-0106-00000000E801}34921060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161408Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.943{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5554-6116-0306-00000000E801}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161407Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.943{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161406Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.943{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161405Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.943{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161404Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.943{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161403Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.943{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161402Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.943{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161401Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.943{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161400Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.943{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161399Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.943{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161398Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.943{C6197713-26A0-6116-0500-00000000E801}412528C:\Windows\system32\csrss.exe{C6197713-5554-6116-0306-00000000E801}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161397Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.943{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5554-6116-0306-00000000E801}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161396Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.944{C6197713-5554-6116-0306-00000000E801}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161395Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.490{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44B74F1E8B6ED196DF013F5C0E2E0E34,SHA256=00C98A24F1E0966B962A37D3F71DCFFBDEA6D10AE83B9CB34FDBED370B50F5FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215100Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:48.241{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7425CC1676ABAE17DF4691AB61B550A,SHA256=4742BDE6F4E9C29E894B6C3EF6E661EB8A090C6B90FB8A68BA38E37D7B9FA1E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161394Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.427{C6197713-5554-6116-0206-00000000E801}39802660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000161393Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.334{C6197713-26A2-6116-1D00-00000000E801}1892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=7437DD3B54D1F17730CF8766724DFA6B,SHA256=69C997B67F7E7A6FCA3EA332C25CA817950327E6931C8B821E0C9BBFA52D78A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161392Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.271{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5554-6116-0206-00000000E801}3980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161391Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.271{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-5554-6116-0206-00000000E801}3980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161390Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.271{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161389Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.271{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161388Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.271{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161387Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.271{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161386Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.271{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161385Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.271{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161384Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.271{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161383Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.271{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161382Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.271{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161381Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.271{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5554-6116-0206-00000000E801}3980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161380Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.272{C6197713-5554-6116-0206-00000000E801}3980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161379Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:48.224{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED2C0E63BCDFB57E7E8880044C3D60B5,SHA256=7DF96B64A994EFEEC3259AA26668A6D00F1B8D6CA0B3EE3343CE65F5C87E7E3C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161427Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:49.849{C6197713-5555-6116-0406-00000000E801}12402940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161426Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:49.615{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5555-6116-0406-00000000E801}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161425Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:49.615{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161424Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:49.615{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161423Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:49.615{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161422Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:49.615{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161421Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:49.615{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161420Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:49.615{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161419Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:49.615{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161418Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:49.615{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161417Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:49.615{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161416Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:49.615{C6197713-26A0-6116-0500-00000000E801}412528C:\Windows\system32\csrss.exe{C6197713-5555-6116-0406-00000000E801}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161415Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:49.615{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5555-6116-0406-00000000E801}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161414Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:49.616{C6197713-5555-6116-0406-00000000E801}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000161413Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:47.986{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52147-false10.0.1.12-8089- 354300x8000000000000000161412Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:47.830{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52146-false10.0.1.12-8000- 23542300x8000000000000000161411Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:49.505{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83866EEAE318632DD7FB7E83D1545880,SHA256=DCB3600964A756D05B2AB921407D84E263B8850DFEEE33E86CA2000E43175C2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215101Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:49.258{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C264F8E14E974C95552792F02A172D5,SHA256=C7FACB3DE61B785355415D877EA27FFF3D660951835062DB37A734982C7F68FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161410Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:49.302{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00C301A3A4DF0F051BF3592B4B123B97,SHA256=E70F8ADE5207A95F1F9D63412FD5729499830BE19833018E1A546D2AF481DFB2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161409Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:49.115{C6197713-5554-6116-0306-00000000E801}1872824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000161442Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:50.912{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95314EEAC62E2D88F6D8288BCEB51FD9,SHA256=3485943FCAA20400E3647341D22BBC035CE203EAC0048A9BF843F56FB4C9409E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161441Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:50.912{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91B1E7D29A5CD0657706910DEB2BCD8D,SHA256=734229CA72BC21F8CC8ABF1A1D42BDE9A5785EA564BC039192E4ACB280D634E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215102Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:50.292{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FA1F26A34885B2EBDE243E69579AEF6,SHA256=7E3253368713BA11E2B82A39AE7226D9EE1DA2D63DEC519A18D117A6F6E6CFE4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161440Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:50.115{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5556-6116-0506-00000000E801}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161439Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:50.115{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161438Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:50.115{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161437Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:50.115{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161436Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:50.115{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161435Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:50.115{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161434Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:50.115{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161433Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:50.115{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161432Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:50.115{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161431Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:50.115{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161430Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:50.115{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-5556-6116-0506-00000000E801}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161429Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:50.115{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5556-6116-0506-00000000E801}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161428Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:50.116{C6197713-5556-6116-0506-00000000E801}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215103Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:51.323{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C799E8B0C821EE76E167AC212FDAC8C,SHA256=178BB825494CDC6C150C7B95B7B6668396CED80070DDCB3D74E4AD5333A176F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215105Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:50.217{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64806-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215104Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:52.356{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2F025CDF0E7D7F9A7D793D10E47E8CE,SHA256=64E8443BEEB6287BF2D0F981813AC01C71831664C141BAF7F01522635F27E269,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161443Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:52.021{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05205FDB79F15714583AAA442250CEE9,SHA256=47CBE67E4E63CD29AA295801DF1B4F29CA53EBA115AFAD01C8D24CF106869116,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215106Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:53.375{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3CF2E7CE344D6EC3B6C6CADB68C8B8D,SHA256=2F56BDFA9BFC2A3E4D68ED17BD77F01DC453693DF54EF42B4C188596C987AE78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161444Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:53.038{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=527ED99353A72799A58A761B615130B9,SHA256=11AFA6C28B9413C3EDBFC2AFE660EC2BF826A2B2A91BB1228CBF3457F8C5600E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215107Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:54.406{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B40633C2B47EA76103F675ECB03D743E,SHA256=2DA7C82D211382922BD927DAC498DE036CECF70F7D659D1A9F861E38C72231E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161446Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:52.878{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52148-false10.0.1.12-8000- 23542300x8000000000000000161445Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:54.040{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C50307C317E01BD2AF4EA9D950378E01,SHA256=F3AB1DA875A4900EE15D28EED32A6616B220069D7B5D2E887D49D0FEF05CDDA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215108Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:55.421{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94EE86E41583C00B3D1392E880AE1DE3,SHA256=8839EED4EE1D6E4074C8D21F7A82660D7513B4AB0D922577A64A691A3E61D727,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161447Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:55.046{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D77A9B35CA1CF4F4D2FA2BD71E92B135,SHA256=B4459EE8657EB5707D702A4E5BC85EAD9CD2CB4847895F638CAAA29E490E27D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215109Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:56.435{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E74FC7A4C676AF42EEEAD5077D6F6980,SHA256=CFB80305A47522786795B49D8F7281FF4AAC6A003DDF58F86EE105D751533C70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161448Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:56.062{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=034114B6B85B1BC8F31C211884211481,SHA256=2192913DED8BCD89122CE31FC0DA9CE35B63EDFE461A92FB857DCB080DD3D27D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215110Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:57.438{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EF70B5A18C47D437CEC17CFCD536854,SHA256=D6090F174095FEFA5DDB6F7C7B57B98D883256B04F1B191CD3627B7A6FA45978,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161449Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:57.109{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCBDE15BB25D90BDE7F601219CB2C0F1,SHA256=22794E3C515B05C8B19267017942A5AF00DBE528CC0D88CC2EDF34DC540B8D17,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215112Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:56.232{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64807-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215111Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:58.455{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C88119DAFA92FDD62216B98AE2912F7,SHA256=EAF452607C6EE8278C2839A1CCE10406B114571C5E96DC0D1F1F5D5CE2971EE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161450Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:58.124{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C7DD8D3E928EC5A7AF97FDDA0D92BC7,SHA256=FEA5591D4BF30A6779F89DF427C11B57019C0B3074A7969E8EBB096E195C88F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215121Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:59.735{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-555F-6116-0A07-00000000E701}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215120Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:59.735{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215119Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:59.735{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215118Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:59.735{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215117Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:59.735{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215116Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:59.735{079FE16A-269F-6116-0500-00000000E701}412428C:\Windows\system32\csrss.exe{079FE16A-555F-6116-0A07-00000000E701}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215115Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:59.735{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-555F-6116-0A07-00000000E701}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215114Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:59.737{079FE16A-555F-6116-0A07-00000000E701}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215113Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:19:59.473{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D1BB5AF807DEE52DF4679D2CBF1195B,SHA256=49A80A7E190D296E2B15D159A84509AD969154B50A4E683EC3A9B9E7E9A11143,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161451Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:59.171{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18C0D3DA746B041078B5F14C04EF8603,SHA256=171530344A2E994D1D4196DAF3DFDFB1B71F12CC48FF88D4944AF8397816D588,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215132Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:00.756{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D890C4044C8E95204BBCD2610860FA70,SHA256=AA4BDC7B23084A9A29E138246F2DFB75F586B5889004F80D63A3CB6E12194CEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215131Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:00.755{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B1B50B1578BBC56C2889DA7888CDD8C,SHA256=F2CE19B54E0BFA18BFD8533E550F3DD4F148D92C26F3D8D186C770A1D1825346,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215130Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:00.488{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=187D8DC224451F5AA87D025A9EFD2E15,SHA256=F8F27C17B2FAF50EB2A0D4C75756B46DEC795D3228123E5A64439E37F63C0E0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161453Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:19:58.917{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52149-false10.0.1.12-8000- 23542300x8000000000000000161452Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:00.171{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=188AC70FB18E9DC3F49A2988B6D81FAB,SHA256=1A7A431706BAC35B3E0AC9A815C61351B349E33623E8954C7AC34699DDB114FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215129Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:00.404{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5560-6116-0B07-00000000E701}6340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215128Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:00.404{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215127Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:00.404{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215126Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:00.404{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215125Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:00.404{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215124Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:00.404{079FE16A-269F-6116-0500-00000000E701}412428C:\Windows\system32\csrss.exe{079FE16A-5560-6116-0B07-00000000E701}6340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215123Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:00.404{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5560-6116-0B07-00000000E701}6340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215122Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:00.405{079FE16A-5560-6116-0B07-00000000E701}6340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215142Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:01.501{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3062C6014FB8C3004B6D3058039DBED9,SHA256=9483DE47DD34E37537D1952BB627052D9CE81EF3627A4541B5874E1201FEE1B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161454Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:01.218{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0611D9BC66F467140BD2EAA8520CAB90,SHA256=58B744668E1C9FF187B21FEA7FFCE984FDE02C8F10A6B8216FF2F3179BA55A4F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215141Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:01.369{079FE16A-5561-6116-0C07-00000000E701}61803924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215140Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:01.072{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5561-6116-0C07-00000000E701}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215139Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:01.072{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215138Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:01.072{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215137Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:01.072{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215136Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:01.072{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215135Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:01.072{079FE16A-269F-6116-0500-00000000E701}412428C:\Windows\system32\csrss.exe{079FE16A-5561-6116-0C07-00000000E701}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215134Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:01.072{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5561-6116-0C07-00000000E701}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215133Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:01.073{079FE16A-5561-6116-0C07-00000000E701}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215144Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:02.532{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74E21DC86EB226FCC2C9405643EFD2C7,SHA256=B14FF6D3165303A13A0BFCFFB4E6A6B647150C38DE6DAC296CFD623B1B3BBAF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161455Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:02.218{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12CF7F1848D6E847BE81DCCC33453122,SHA256=24BFEB1DB04AAEDA0323C5990FE61CE876A4A5905FEE179D394355D0F6EFD7D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215143Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:02.084{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D890C4044C8E95204BBCD2610860FA70,SHA256=AA4BDC7B23084A9A29E138246F2DFB75F586B5889004F80D63A3CB6E12194CEB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215153Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:03.785{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5563-6116-0D07-00000000E701}4572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215152Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:03.783{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215151Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:03.783{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215150Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:03.782{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215149Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:03.782{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215148Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:03.782{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-5563-6116-0D07-00000000E701}4572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215147Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:03.782{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5563-6116-0D07-00000000E701}4572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215146Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:03.780{079FE16A-5563-6116-0D07-00000000E701}4572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215145Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:03.547{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FD7116F066C00E84C9C37FECC005AE8,SHA256=6BC5FE4C63D043D3841B929124BAEE68A6BA00CAECF86A075196573E12FEEDD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161456Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:03.249{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21E5ED187E8B07B9710220B5D2067E2A,SHA256=ABBED57DD3A3DF83ADCC3304F60865FFEEF1012678EDAAE8BB6DF10843793FE4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215166Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:04.764{079FE16A-5564-6116-0E07-00000000E701}68203472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000215165Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:04.716{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=719AB7B10DF6A88F4A73180A1819D301,SHA256=36E38C98790D5A8A5FE0245A09B30F36174D2AE68A014448ABE94BCA039F8B33,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215164Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:02.172{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64808-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215163Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:04.584{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E310F9460BC7A91690389C072BCA51F,SHA256=CDCAA52720D92DD8DE386296C8AB4B17F9E52366BB8181FA4CD547C66A270A9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161457Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:04.265{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F15360FFE857E56D5548352D2B7B7862,SHA256=065664BA7448A8ED5FA6BD95EDA70D96E2F03B9FD4AEBC2EBC6D7E9ECC03B1E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215162Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:04.463{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5564-6116-0E07-00000000E701}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215161Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:04.463{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215160Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:04.463{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215159Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:04.463{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215158Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:04.463{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215157Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:04.463{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-5564-6116-0E07-00000000E701}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215156Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:04.463{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5564-6116-0E07-00000000E701}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215155Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:04.464{079FE16A-5564-6116-0E07-00000000E701}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000215154Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:04.101{079FE16A-5563-6116-0D07-00000000E701}45726528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215186Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:05.800{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5565-6116-1007-00000000E701}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215185Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:05.800{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215184Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:05.800{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215183Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:05.800{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215182Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:05.800{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215181Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:05.800{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-5565-6116-1007-00000000E701}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215180Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:05.800{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5565-6116-1007-00000000E701}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215179Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:05.801{079FE16A-5565-6116-1007-00000000E701}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000215178Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:02.826{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local64809-true0:0:0:0:0:0:0:1win-dc-414.attackrange.local389ldap 354300x8000000000000000215177Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:02.826{079FE16A-26AF-6116-2900-00000000E701}2980C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local64809-true0:0:0:0:0:0:0:1win-dc-414.attackrange.local389ldap 23542300x8000000000000000215176Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:05.615{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26A455C0A0366B11173AB4500B5A00C8,SHA256=FE783EBD0448613C27F47BA0FCE6712472840A9B193D084A367292DE96D65BED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161458Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:05.280{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF2F8EECEBD19A9AD9F0832804C74346,SHA256=2F831755EE36A607FA2BB74425331C93CA00720961753D7E9CE3F881D64FA57B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215175Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:05.384{079FE16A-5565-6116-0F07-00000000E701}50082296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215174Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:05.131{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-5565-6116-0F07-00000000E701}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215173Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:05.131{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215172Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:05.131{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215171Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:05.131{079FE16A-269F-6116-0500-00000000E701}412428C:\Windows\system32\csrss.exe{079FE16A-5565-6116-0F07-00000000E701}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215170Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:05.131{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215169Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:05.131{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215168Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:05.131{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-5565-6116-0F07-00000000E701}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215167Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:05.133{079FE16A-5565-6116-0F07-00000000E701}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215188Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:06.616{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EDCFC9EFA0BA57E1B04E5826C1AC4E2,SHA256=DB76D1E3EF888B579D73E886DDE23A974CC26AEFAD0FC4953FF5B93958EABAD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161459Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:06.280{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38A942002EFDED24CDD14E30B41F7F0E,SHA256=4D8F42453C51FA53FDCE3BC2B3663E90AC5F4E4621FA48BF176111A1866B1677,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215187Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:06.147{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F85C9BB10338738354DB388C702B6E45,SHA256=6DB93CD249CE1A2D58155A2B05D1F3C8B89A8060F88E6F9EC3936AD771622269,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215189Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:07.631{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C977F0821690CFB4270019706DC8143,SHA256=87465A3A1AC84ED3C909DE0B55A1B35F6D275F4DA9F534D48B8002296C2DF7AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161461Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:07.281{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47073F361E42139507ED7B1E062C7403,SHA256=C01275C26A60A649367E56A91638BD4B4BB8A10B7730EC5BDC025C11DDCA095F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161460Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:04.886{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52150-false10.0.1.12-8000- 23542300x8000000000000000215193Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:08.646{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=918236B5D91879DF53BBA8978FDD3189,SHA256=FFA343E21832BBB49A3AE8D417A9A0F4529E1F674828C2C1E5D7AF503EDEC007,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161462Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:08.312{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34896C4F14AE287E72378E26F65D4617,SHA256=0BD4F61ACF5101D31A549E10B0056713CE2CBBDB5461C926CE5C933A41B57B77,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215192Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:08.115{079FE16A-2851-6116-BF00-00000000E701}46524744C:\Windows\Explorer.EXE{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8036AEE78A8)|UNKNOWN(FFFFD4A36A2A5B68)|UNKNOWN(FFFFD4A36A2A5CE7)|UNKNOWN(FFFFD4A36A2A0371)|UNKNOWN(FFFFD4A36A2A1D3A)|UNKNOWN(FFFFD4A36A29FFF6)|UNKNOWN(FFFFF8036ABFF103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000215191Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:08.115{079FE16A-2851-6116-BF00-00000000E701}46524744C:\Windows\Explorer.EXE{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8036AEE78A8)|UNKNOWN(FFFFD4A36A2A5B68)|UNKNOWN(FFFFD4A36A2A5CE7)|UNKNOWN(FFFFD4A36A2A0371)|UNKNOWN(FFFFD4A36A2A1D3A)|UNKNOWN(FFFFD4A36A29FFF6)|UNKNOWN(FFFFF8036ABFF103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000215190Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:08.115{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFb6ccb1.TMPMD5=EDE14DC2DA8B62397B99A720E8551D81,SHA256=8959FFAFDBAF3F9DAF8768C11BE6F82CFC93AA32A873EE989535285EE9E5A694,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215197Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:07.306{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64810-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215196Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:09.681{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF10142D6E16C8539464791D76C38235,SHA256=B35885A35462AD5877EA8EAFF6E179104101B4C66A8B49BA5454E890F890E8E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161463Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:09.312{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A5A8D640AD72CF56CA3AE05A037F4BD,SHA256=9F9B06D51871991E12AA4A39247F3D172377C9C026BD7B73830922B3BC1223D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215195Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:09.045{079FE16A-26A2-6116-0D00-00000000E701}8921116C:\Windows\system32\svchost.exe{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215194Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:09.045{079FE16A-26A2-6116-0D00-00000000E701}8921116C:\Windows\system32\svchost.exe{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000215198Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:10.699{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1C34A9C256BD9D3CEF1298208453C92,SHA256=64E168698EF2EC9AC6E9A1D117318DDDA2B7A18DCE3FC064B581D0435F94DDBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161464Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:10.312{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E43CF16229FCCF26C2D00DCD608351BF,SHA256=37DC0D1FAD6660E138120F3BC7B2FEC96FFE3B581C161239639796756B1DAF9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215199Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:11.729{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DDE40FFF0BFF02D241630EACC66C39E,SHA256=E7A0818B349624E5B3EDF74D10284C37A8EDF948666DF33C0B18227F3AA66444,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161465Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:11.327{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F3485A89475E73E0B6AFEF9ECE57616,SHA256=55B3459145EF3BFDD09D0D8FD8DBDD0B7D31AE9993414719F2C592C922974091,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215202Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:12.744{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5311A03AA2DBE23277F4CE98092F364C,SHA256=C7D4463E9E05384AE91F517A6EB6DEDB86882B6371018D83629FEF8804A3AA2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161466Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:12.327{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC34A3B8C74175FA9C10B1387C9AEBB0,SHA256=819286E0C01E41C148A1211DAE4A5BC5B4F5A6D82BD10941EB119A0FDBAFC834,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215201Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:12.460{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215200Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:12.460{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=C3226C075E608937FF0D6D3609F2140E,SHA256=D365C8CC79BBC2BC801B6C575720DE9A5542E65246EEFEF66F4862B5DB795C85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215203Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:13.778{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46C45C4A76C5BD7F8061EBA0126C33AF,SHA256=639CA5596AA114AEDCEA2D3CDC2E05DE87CE5B2275526B972E3D9F6A30881804,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161468Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:13.327{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAD2B09236F5F45A87DC42039F75321E,SHA256=4A374D5BE6A2189BCAF22CE16E389203AF26C110208504FFCD9C8850EF97A879,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161467Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:10.761{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52151-false10.0.1.12-8000- 23542300x8000000000000000215204Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:14.829{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49A85EA48489A8A8838372F85FE7A98A,SHA256=BAE10DAF0C98E8A37F8C5430AF8CBD8020B1AD21FCA6E5DEB2D027167BB1EEBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161469Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:14.327{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=588B88F07B6D324E765A9A64CC4E8A2A,SHA256=DEC7DCF7FE5B09578A94B68F815DEC9173E248310AC0D14A3D45A797A636C906,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215205Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:15.829{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFE76F050C38841866717B9927A94535,SHA256=2B49AF36E0B0AE732E5E1E7A8052AD3626CC521FB41C9919678509C91FD3543D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161470Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:15.327{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAE5D6324C4C5DE6A397BBB67E111C91,SHA256=9CF0EDFC9B1DD3E08CCC327087E8AA5A068A11F44CC348660E2851EB5E90CB15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215207Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:16.859{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBE82290183413FC8EEBB3931C3000AE,SHA256=91029045BEA68D53EBC72DBD7AD7DB06E6BD99403F02F402E8050888FC457D91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161471Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:16.327{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6E1499DE4A1977A5A977A8712B6000E,SHA256=759AD38471B2E8010BD072C47EDEBC8F92D94B8EA624CF78849C4FEF6EED109A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215206Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:13.338{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64811-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215208Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:17.879{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A410E107CCB9A218A46787D1DEEF8F4C,SHA256=448A06CFD321E5A25905162104F00EAEC88D88786FB8C8E715BA76AEDA5E7DCC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161473Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:15.777{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52152-false10.0.1.12-8000- 23542300x8000000000000000161472Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:17.327{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB132D180CC235CB2210C584670E5692,SHA256=62A5A7A4A36F6866363B35ED9A802950C6EF85F53F45DA3E871D9ECE38F54198,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215209Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:18.895{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B92109CFC7453F8F41261E7A3A1CCC6E,SHA256=C886030DA3F243ED9A5EB4E51AD386212858304FEAF98BE328F7138F74BD7D4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161474Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:18.359{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72BEEB79DCD4B0BACBC5B59E67B6CAFA,SHA256=B3CEE66F12071AFB83AEDE7907C7A5815E5A218DEDAD03AFC5CAB32B03ED8E37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215210Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:19.898{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A8BCDBAFC1B8A86814F8C38D16589F6,SHA256=930F034AC93814A4C372B36D4CC6E8284209F48A7EB3B983AC9ABCB5B19AB859,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161475Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:19.359{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D20DEB6B049C513A9789C09974205F6D,SHA256=C3DB781D850BB491833F36B5999E2B0C85B09D8D4F3C5F7330B4043817F0BAE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215211Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:20.929{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7993266267AA681DCAE5532F35686BC,SHA256=4C6DF7D92933AAF875A502B7BFC5E2A361788DA2D6E11D1864D678B54FD12110,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161476Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:20.359{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2EABAA7DD471AED0C25114DA5321696,SHA256=C5B640F8AC256AFD894DF6615F6D557F637200B4F4B0ABB9901A6FE61A7883B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215212Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:21.944{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0B5DC4ABF034AC9ED557A4A014066F8,SHA256=A7A1A91878B89FAD462841CE45796B8DA3C734A9BCD4F8E8536BD8FF5404FF79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161477Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:21.359{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDFD9AB60C40ED8B6A564251304C992C,SHA256=7FDBCCF0D4A6354069F54C866786EA8E14C55921E6D6968A4CF32C2D902F025B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215214Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:22.978{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81C5E44AA3B2CE4FCDD8490415D7AB64,SHA256=4C415B395F0CB9ABD81D54A5C24FB75B14BA921EB5C8FDBF6A5D3507538C6795,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161478Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:22.359{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00516FD70629A1F59AFBAD5A6326CDC6,SHA256=85082933EC718DA89AB8D7A9DC071C79B8913A316E9EBBCC96FAFAC035557A2A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215213Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:19.223{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64812-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000161479Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:23.359{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B451D9B23E8849101426B6E650379F81,SHA256=D3842BE8DAF1F4C236ED9DB7E2E6B956F86D7056549E680838FF220C277DA78D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161481Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:21.777{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52153-false10.0.1.12-8000- 23542300x8000000000000000161480Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:24.359{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D28A12BDD4B66839821ED5AA46D7ADC8,SHA256=F00E6017BC7275B21A717413D5424954EB7AA60FA212EB75848660DD6931E574,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215215Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:24.012{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35561034700F79DB1B2822C025CCE68B,SHA256=9777E2887207E7C2F0C93C0035D856CFB38C74F421B46CF3E7C6E794C4CDC125,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161482Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:25.359{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2539E423396DE5E0C037DAAB5BD0496,SHA256=3DE11BE793D955AD955CC462C783BDE637992E2B9079FA5BD14A5CDAF5058ADD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215216Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:25.026{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6528E1DA804B70B8F1B8AFD2F26348B0,SHA256=4ED81B7BC03CA6084DCE64E61CC0CD8542BF2BB4A65844456CEBFEED1EEECC1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161483Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:26.374{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE9B09A87542FB412932D802B6D4D7E6,SHA256=07C67135A55EF0253B4C91286B618547A8B829CCACC417EC8276068E26E4C681,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215217Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:26.041{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0C137FFFFA2398A6C34FF26B9297903,SHA256=B0A7381BE438E9159DD16D7FEEFA6BC3BC09E6A61242A591400E1770029214F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161484Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:27.374{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FC3922D85DBCA09CD188B8FF51860BF,SHA256=575EA8C1B0335DEF4B32A71ECF33184DB30B3C00FBA0FC4A82E30C8DF7EF14E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215218Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:27.056{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FADC095EECF02F083AD5501F6AD2F14D,SHA256=65509AAB67E083E72C23DE8160C7050EAC3CCAE7EB25B2A7545679F814BAAECF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161486Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:26.809{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52154-false10.0.1.12-8000- 23542300x8000000000000000161485Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:28.374{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC26C7D522DEEA3677848375DE1780BA,SHA256=B7C40563995BD872A944D2187CF46EFD54C0A2C7855076F985F69F36E8D53B5C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215220Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:25.251{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64813-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215219Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:28.075{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02C9CACB86C10F4FD8E46A7176510E58,SHA256=715B1EB3C8477868DF80E78C3CE8C7B9AAB1B01F59FEEC444293E295851D6047,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161487Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:29.374{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D200997277EA1B08C6D51EF13812F62,SHA256=0C62E48C61B76C8C66588FD7262E4D16585E79F7F6B5E6A3946D3FF2D0DDA22B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215222Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:29.292{079FE16A-26A2-6116-0D00-00000000E701}8921116C:\Windows\system32\svchost.exe{079FE16A-3DEE-6116-CA03-00000000E701}5736C:\Temp\release\x64\x64dbg.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000215221Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:29.092{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=438BFAC055D7B2E2985CC0F1C6443C4F,SHA256=ED2231737AD4987CD0DA1F52D016F9DD3855F8876DF26F027540FDA040E1336D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161488Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:30.374{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=033BA98D2C35FC3B3D7452248FE047E7,SHA256=D8A7A92FBAB6845CE88626C81A095E0315F407449B4EA4681F097FB12B4CCCDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215223Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:30.123{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E49FFD2369E87CA8085F83EFEDA29BED,SHA256=EAEE5A186D33563A0C2D236853B418A8987C21E6B70B91DBD54901A2B1769F4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161489Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:31.374{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=120B5F865E9EC53E692F1F39B119A156,SHA256=4EFED22ABA779850DC765F028CECD1689D568CAE2F297EBF4A5314814836CB32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215224Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:31.123{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97BD12E39BC26E514EA4CA9CD97BDB37,SHA256=0CEE63B2284788360BFF7D3A06C2A105496E2966096EA0D4208A800903CAB16C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161505Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:32.624{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A1-6116-1400-00000000E801}804C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161504Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:32.624{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A1-6116-1400-00000000E801}804C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161503Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:32.624{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A1-6116-1400-00000000E801}804C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161502Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:32.624{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A1-6116-1400-00000000E801}804C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161501Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:32.624{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A1-6116-1400-00000000E801}804C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161500Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:32.624{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A1-6116-1400-00000000E801}804C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000161499Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:32.374{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=763A40CF6FF5999699C4E176671FAC1E,SHA256=A739205FC584C985283D2D651A3E58161DFC8A504E9CA2604AE0B4666A57E870,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215225Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:32.125{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3E3D2EB94735D3F5F2506EF0F0B4A7A,SHA256=19894D164CBCD1C4EC6905A0AB55B67E983BE56AF1E26649D84F57C53793C63D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161498Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:32.312{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A1-6116-1400-00000000E801}804C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161497Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:32.312{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A1-6116-1400-00000000E801}804C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161496Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:32.312{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A1-6116-1400-00000000E801}804C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161495Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:32.312{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A1-6116-1400-00000000E801}804C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161494Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:32.312{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A1-6116-1400-00000000E801}804C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161493Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:32.312{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A1-6116-1400-00000000E801}804C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161492Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:32.312{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A1-6116-1400-00000000E801}804C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161491Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:32.312{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A1-6116-1400-00000000E801}804C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161490Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:32.312{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A1-6116-1400-00000000E801}804C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000161515Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:32.294{C6197713-26A1-6116-1600-00000000E801}1208C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52157-false10.0.1.14-389ldap 354300x8000000000000000161514Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:32.092{C6197713-26A0-6116-0B00-00000000E801}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52156-false10.0.1.14-49666- 354300x8000000000000000161513Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:32.091{C6197713-26A0-6116-0B00-00000000E801}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52155-false10.0.1.14-135epmap 23542300x8000000000000000161512Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:33.640{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C99CC2DD6F59E8C5F1494B3DCAFADE8,SHA256=D4D5F9BA1BBDCE703C80FE40F3F959EB81A66C27B5BA2D1122E2411BC8AEF7E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161511Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:33.640{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4234938CE5C34463E1CBA3974C573DDE,SHA256=ACFFA63C5C28F7D19A5682F184A5D2F6F02B8EE8497A2553D75E99A30BBA712A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161510Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:33.374{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80707779AC62E98534CDBAD0BCB6163D,SHA256=1FA599D572345F68D6F9C0AF070276CF463E91EFFF8DB4D48EBEE7888C763E59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215230Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:33.608{079FE16A-26A0-6116-0B00-00000000E701}6284932C:\Windows\system32\lsass.exe{079FE16A-269C-6116-0100-00000000E701}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000215229Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:33.455{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B4E7E779636706D0316647F4E2D79F9,SHA256=90B828D41A001BDD4ADE50A8008C169F005C68263C191BC9D6689F9EC2E42E78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215228Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:33.455{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1F6F4A19C28C8935F15307E830BCE08,SHA256=1D0B8DDB22012FCD8F6213B263038B74E6F2B6C63C7A3B68805D0C3F864E4575,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215227Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:31.297{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64814-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215226Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:33.140{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0A4D86079636D538E818FC78965E0DF,SHA256=74D1575EF0FD99F545218487A144CD0EA836239771C3EEA962D387BB8B6EC06A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161509Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:33.077{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A1-6116-1400-00000000E801}804C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161508Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:33.062{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A1-6116-1400-00000000E801}804C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161507Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:33.062{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A1-6116-1400-00000000E801}804C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161506Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:33.062{C6197713-26A0-6116-0B00-00000000E801}6281420C:\Windows\system32\lsass.exe{C6197713-269E-6116-0100-00000000E801}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x8000000000000000161519Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:32.793{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52160-false10.0.1.12-8000- 354300x8000000000000000161518Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:32.736{C6197713-269E-6116-0100-00000000E801}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52159-false10.0.1.14-445microsoft-ds 354300x8000000000000000161517Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:32.418{C6197713-26A1-6116-1600-00000000E801}1208C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52158-false10.0.1.14-389ldap 23542300x8000000000000000161516Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:34.374{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D0B8C159C794A188FF105AA8E778815,SHA256=08717F89320F81DAF5508CBB0C02C294959B351FC22D29A90188AAD829E34D81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215237Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:34.624{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B4E7E779636706D0316647F4E2D79F9,SHA256=90B828D41A001BDD4ADE50A8008C169F005C68263C191BC9D6689F9EC2E42E78,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215236Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:31.752{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-414.attackrange.local389-false10.0.1.15WIN-HOST-86757452- 354300x8000000000000000215235Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:31.743{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-86752157-false10.0.1.14win-dc-414.attackrange.local389ldap 354300x8000000000000000215234Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:31.540{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-86752156-false10.0.1.14win-dc-414.attackrange.local49666- 354300x8000000000000000215233Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:31.539{079FE16A-26A2-6116-0D00-00000000E701}892C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.15WIN-HOST-86752155-false10.0.1.14win-dc-414.attackrange.local135epmap 354300x8000000000000000215232Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:31.433{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-414.attackrange.local389-false10.0.1.15WIN-HOST-86757451- 23542300x8000000000000000215231Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:34.140{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9882CC5C0D7EFF80CDFEF6A5008E3A7,SHA256=599BAA33D1EE1A7E7ED0F86682DCB12BAD3F390B6904DBC03719597232D94614,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161521Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:35.374{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B891DF190772254BD9713AD712900C6,SHA256=B367A9E2EF1B62B0C81973C9BC9A517713D224956DA0D2A132BBE61B2E2423E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215244Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:35.576{079FE16A-26A2-6116-1600-00000000E701}13006648C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2500-00000000E701}2836C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215243Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:35.576{079FE16A-26A2-6116-1600-00000000E701}13006648C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2500-00000000E701}2836C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000215242Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:32.735{079FE16A-269C-6116-0100-00000000E701}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64815-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local445microsoft-ds 354300x8000000000000000215241Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:32.735{079FE16A-269C-6116-0100-00000000E701}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64815-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local445microsoft-ds 354300x8000000000000000215240Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:32.184{079FE16A-269C-6116-0100-00000000E701}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-86752159-false10.0.1.14win-dc-414.attackrange.local445microsoft-ds 354300x8000000000000000215239Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:31.867{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-86752158-false10.0.1.14win-dc-414.attackrange.local389ldap 23542300x8000000000000000215238Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:35.154{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E83C600E39DED9E4B71F516BA970459,SHA256=725507A8AD6CDEAE32F98FF6E00283DB47E28967CC796564A024D9138F0A6599,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161520Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:35.312{C6197713-26A1-6116-1000-00000000E801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C83B04388DB37B99A5D8184E10430153,SHA256=0A505AF4CBF56AAD8D3B9B10284BEC85B676C4061F38D6246A2909A41B5E18AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161532Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:36.375{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=760B3D9B003879C2363E3CB8984983FD,SHA256=6A78F720FE9670752907FE5AF6E21B7FD1E940D103C6234BF7430B4A0F10D7D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215246Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:36.891{079FE16A-26A2-6116-1100-00000000E701}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F4B41D965F6D72E6E3EF9E7DC7712394,SHA256=92BBDB50BE2930901B4986F9BBB59DEEC5571A03BB44E406E4330339F0627F03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215245Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:36.175{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E181D7123107E6924DF8A3249EE352B,SHA256=C67D7B2E70E5D61B5FB6A4C51AB37456F98CF82FC50CA0F7DA66780BC69B2518,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000161531Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-SetValue2021-08-13 11:20:36.157{C6197713-26A0-6116-0B00-00000000E801}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000161530Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-SetValue2021-08-13 11:20:36.157{C6197713-26A0-6116-0B00-00000000E801}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00b73492) 13241300x8000000000000000161529Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-SetValue2021-08-13 11:20:36.157{C6197713-26A0-6116-0B00-00000000E801}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7902c-0xdb1b5e6e) 13241300x8000000000000000161528Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-SetValue2021-08-13 11:20:36.157{C6197713-26A0-6116-0B00-00000000E801}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d79035-0x3cdfc66e) 13241300x8000000000000000161527Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-SetValue2021-08-13 11:20:36.157{C6197713-26A0-6116-0B00-00000000E801}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7903d-0x9ea42e6e) 13241300x8000000000000000161526Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-SetValue2021-08-13 11:20:36.157{C6197713-26A0-6116-0B00-00000000E801}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000161525Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-SetValue2021-08-13 11:20:36.157{C6197713-26A0-6116-0B00-00000000E801}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00b73492) 13241300x8000000000000000161524Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-SetValue2021-08-13 11:20:36.157{C6197713-26A0-6116-0B00-00000000E801}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7902c-0xdb1b5e6e) 13241300x8000000000000000161523Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-SetValue2021-08-13 11:20:36.157{C6197713-26A0-6116-0B00-00000000E801}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d79035-0x3cdfc66e) 13241300x8000000000000000161522Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-SetValue2021-08-13 11:20:36.157{C6197713-26A0-6116-0B00-00000000E801}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7903d-0x9ea42e6e) 23542300x8000000000000000161533Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:37.375{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C07FE8640B8BAF9A1DB2F1356DC5A6A,SHA256=E2CECAE66AC7B53D75E6F582816AB8CD0B06E6D8BDD826497A7B6275D82976EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215247Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:37.206{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD78B2259ED1B6C5FFC45F7640E9FB50,SHA256=8528B38B8797C97364BB335762930A77FD6E04A2700955A44B516C315DAC6904,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215250Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:38.805{079FE16A-26AF-6116-2700-00000000E701}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=7437DD3B54D1F17730CF8766724DFA6B,SHA256=69C997B67F7E7A6FCA3EA332C25CA817950327E6931C8B821E0C9BBFA52D78A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215249Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:36.316{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64816-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215248Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:38.221{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48035546A6EDB26431294D35C6DBB04F,SHA256=DEBB98F36CD3E267D53ED74BF16A57783B67F5DFB9B838F95CF8B613052BC7D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161534Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:38.376{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1644F86E29384D5D04B1017DDD6F05AA,SHA256=49D78F588529B40FC0CDCE4E30ABD67D6AA571F640C789E11116BB723040AF92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161535Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:39.375{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49564B97B7281750D85C31EEBED9756B,SHA256=684653B8214F3B0F4AE0010457E165C2EB46A5F222ACD871A226B0030B36D014,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215251Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:39.236{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=629D6CC2BDB949F4B26E38A7629C9C55,SHA256=B705728F45523175E2E4E25A61FC4FEEEBF9D8820CE2C01C1276A6679E2559D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161537Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:38.717{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52161-false10.0.1.12-8000- 23542300x8000000000000000161536Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:40.375{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31E1FB714BF89B4BA873947D8097AB5E,SHA256=0965C55389753E6125180AA0B8738D3A4AD18D00D3D46E332C391DDBB3ECB4B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215253Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:37.915{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64817-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000215252Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:40.269{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F4E3BA3C48F0E4EC956BF6DAEA153E0,SHA256=F3054197EA866E5D2B16A2C3E5B28821B2307160F9C39383E952660D5FE3EA78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161538Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:41.375{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D6201A87B6C7D2229604727211D2065,SHA256=6682ADA26EA23A8B42A076D56B8D53D770333D28C7223F5A997DB0CAA7E01DA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215254Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:41.287{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D5E5F97C7BE2BBFD669FB2DD4B713BC,SHA256=891E7FFCBE2BABEA445429D9FA8F856D8B41B97A7041F3C6608219142A83C684,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215255Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:42.348{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08FB7EB5475C2AD007748767423C4504,SHA256=72F926E090C7F117700D62573AF661EFE594413AC45EA7DA8B42361A9A42F0D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161539Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:42.391{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66616C55F86102BF9B2C2AE92B2615C1,SHA256=2CA262B0516C8F8D79DD5764A02A23BBFCD6E1B09A9E3A0F87CE049DCFAB3C29,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215257Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:41.373{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64818-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215256Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:43.366{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DBB7A1F4DF9F5EF166DCA995F469780,SHA256=B7A7CD3741433BF80CC615ADDD9CD0ABFAFA8ED4430A400F88064786EC072CB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161540Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:43.391{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCE60E09E222D5F2B3BABEEE2C9E55BB,SHA256=E2C23D44FE9CB9D6D6E16114C28BE7B83CAEB2F68694BDB3B8B5589FD01192E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161541Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:44.391{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F6E09926FB95CA88DF55D5572D62A1B,SHA256=475E707CA46E5BDF87721B42E1B38882D8B6067BABC687A7002AAC839789A354,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215258Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:44.446{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=881B50B91CBC9AE958A5F3EFFA4DFAFD,SHA256=0FEB6C70B4891CF7FE4256D98631D35A407BACF84E0B664DD076AEFDD26DE715,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215261Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:45.446{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3E270943BC10024E7B4AD1D0622E52F,SHA256=EC36DB637856AAC60CC7880016E1FDE34C392268ACEF8F8D3ECEFF1266BB82DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161555Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:45.657{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-558D-6116-0606-00000000E801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161554Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:45.657{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161553Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:45.657{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161552Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:45.657{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161551Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:45.657{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161550Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:45.657{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161549Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:45.657{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161548Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:45.657{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161547Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:45.657{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161546Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:45.657{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161545Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:45.657{C6197713-26A0-6116-0500-00000000E801}412528C:\Windows\system32\csrss.exe{C6197713-558D-6116-0606-00000000E801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161544Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:45.657{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-558D-6116-0606-00000000E801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161543Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:45.657{C6197713-558D-6116-0606-00000000E801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161542Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:45.391{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D71684812F9B47CFB7484A9B473EBC63,SHA256=7EEA4AAFC67EA4C68F35EB36532BA0786A39F44E259585682CE50BCA7FBD229F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215260Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:45.315{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F885D2424206BD34650255A040E62D5,SHA256=9244424A479FD9A2E49D6D8A6380EC621109C460F20898EA5F8B0830816FC639,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215259Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:45.315{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=282C9CCEA1E56A235BC1D3BA156BBBBC,SHA256=A182BF7D933A4B2AA4C45FB414091F00BC98234CB073511B7E3626446FA62A13,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161586Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.969{C6197713-558E-6116-0806-00000000E801}2476736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161585Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.813{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-558E-6116-0806-00000000E801}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161584Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.813{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161583Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.813{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161582Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.813{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161581Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.813{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161580Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.813{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161579Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.813{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161578Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.813{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161577Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.813{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161576Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.813{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161575Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.813{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-558E-6116-0806-00000000E801}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161574Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.813{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-558E-6116-0806-00000000E801}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161573Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.814{C6197713-558E-6116-0806-00000000E801}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161572Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.704{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB98B99854BC04973B3F5419247508DA,SHA256=9F1D802A92B9F64BF51EBD5394D72DB2C45DFCFCE29D22089C592EA24BD838F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161571Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.704{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C99CC2DD6F59E8C5F1494B3DCAFADE8,SHA256=D4D5F9BA1BBDCE703C80FE40F3F959EB81A66C27B5BA2D1122E2411BC8AEF7E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161570Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.407{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E126317F6E964394AB104B7F5CF887C,SHA256=D924880FAEE3A6A43BF0C0CC48F9072EC1AA225649853EBCDA51375CDACFB26C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215262Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:46.464{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AF99F91947A856FB0EEE464799D0ED0,SHA256=BB67E93ECB0227F8BB1E913C39C17B025306387234A2393C2ABD3C0219CDCEFA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161569Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:43.826{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52162-false10.0.1.12-8000- 10341000x8000000000000000161568Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.157{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-558E-6116-0706-00000000E801}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161567Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.157{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161566Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.157{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161565Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.157{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161564Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.157{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161563Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.157{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161562Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.157{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161561Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.157{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161560Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.157{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161559Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.157{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161558Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.157{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-558E-6116-0706-00000000E801}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161557Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.157{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-558E-6116-0706-00000000E801}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161556Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:46.158{C6197713-558E-6116-0706-00000000E801}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215263Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:47.484{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11D5357A865E49A528745EDA948404B2,SHA256=33A8418648149F6ABFD723E3576C8DDD5799CB223C9EEC261B7510E71E64587D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161588Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:47.813{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB98B99854BC04973B3F5419247508DA,SHA256=9F1D802A92B9F64BF51EBD5394D72DB2C45DFCFCE29D22089C592EA24BD838F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161587Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:47.454{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03AF0CC6D3A66DF5C782C7A6C20E4062,SHA256=8E24E0A319F278114C3EACDA3A58EFBE359EEE915536C4385DA22255DB674FA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215264Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:48.499{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E62210E377A4357064D71DF5552665D,SHA256=B5AB58B745BAE2E7F523FC2E417C258240956AD9752B609D31804D60AF7A785C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161617Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.782{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5590-6116-0A06-00000000E801}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161616Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.782{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161615Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.782{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161614Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.782{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161613Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.782{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161612Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.782{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161611Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.782{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161610Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.782{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161609Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.782{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161608Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.782{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161607Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.782{C6197713-26A0-6116-0500-00000000E801}412528C:\Windows\system32\csrss.exe{C6197713-5590-6116-0A06-00000000E801}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161606Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.782{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5590-6116-0A06-00000000E801}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161605Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.783{C6197713-5590-6116-0A06-00000000E801}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000161604Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.516{C6197713-5590-6116-0906-00000000E801}27602932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000161603Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.454{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05D8917D89723398D6426C51BA61F940,SHA256=216E49C34BBBBB1516DF8E5EB6C8BCBEC8909ADFC070A424FAD9833763A96B87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161602Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.360{C6197713-26A2-6116-1D00-00000000E801}1892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=7437DD3B54D1F17730CF8766724DFA6B,SHA256=69C997B67F7E7A6FCA3EA332C25CA817950327E6931C8B821E0C9BBFA52D78A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161601Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.282{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5590-6116-0906-00000000E801}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161600Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.282{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161599Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.282{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161598Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.282{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161597Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.282{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161596Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.282{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161595Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.282{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161594Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.282{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161593Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.282{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161592Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.282{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161591Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.282{C6197713-26A0-6116-0500-00000000E801}412428C:\Windows\system32\csrss.exe{C6197713-5590-6116-0906-00000000E801}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161590Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.282{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5590-6116-0906-00000000E801}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161589Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.282{C6197713-5590-6116-0906-00000000E801}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000161647Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.954{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5591-6116-0C06-00000000E801}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161646Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.954{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161645Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.954{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161644Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.954{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161643Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.954{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161642Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.954{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161641Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.954{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161640Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.954{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161639Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.954{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161638Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.954{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161637Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.954{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-5591-6116-0C06-00000000E801}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161636Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.954{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5591-6116-0C06-00000000E801}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161635Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.954{C6197713-5591-6116-0C06-00000000E801}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161634Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.719{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A65EF5EC77D82C2BA4E91CEDA4AC4FC9,SHA256=74DE14A993D495142240E103428395299B1C50DD5A72C79F66CC9F244B0C810F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161633Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.485{C6197713-5591-6116-0B06-00000000E801}3744304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215301Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215300Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215299Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215298Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215297Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215296Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215295Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215294Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215293Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215292Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215291Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215290Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215289Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215288Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215287Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215286Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215285Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215284Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215283Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215282Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215281Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215280Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215279Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215278Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2851-6116-BF00-00000000E701}4652C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215277Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215276Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215275Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215274Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215273Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215272Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215271Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215270Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C000-00000000E701}4860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215269Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2600-00000000E701}2928C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215268Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2600-00000000E701}2928C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215267Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C100-00000000E701}4956C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215266Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C100-00000000E701}4956C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215265Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:49.285{079FE16A-26A2-6116-0D00-00000000E701}892916C:\Windows\system32\svchost.exe{079FE16A-2852-6116-C100-00000000E701}4956C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000161632Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.297{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C72F71357055782B5B759FDA9BD590A1,SHA256=B66E5FFA5C16755F7EABCD6E8FB99F1AE4CE449C9DCB53696CD16F20BBD1BFD1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161631Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.282{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-5591-6116-0B06-00000000E801}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161630Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.282{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161629Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.282{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161628Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.282{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161627Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.282{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161626Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.282{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161625Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.282{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161624Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.282{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161623Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.282{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161622Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.282{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161621Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.282{C6197713-26A0-6116-0500-00000000E801}412428C:\Windows\system32\csrss.exe{C6197713-5591-6116-0B06-00000000E801}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161620Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.282{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-5591-6116-0B06-00000000E801}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161619Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.283{C6197713-5591-6116-0B06-00000000E801}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000161618Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:49.032{C6197713-5590-6116-0A06-00000000E801}2848764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000161649Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:50.485{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB2A1B921E031A2C9BC39E4E8CC6B51B,SHA256=4271DF5DB804BA3FA3E37D1050A7ABE2DAACE98A8D16FECA9513D56391BF9992,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000215304Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:20:50.716{079FE16A-26A2-6116-1000-00000000E701}384C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d79035-0x45aa1b3e) 354300x8000000000000000215303Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:47.187{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64819-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215302Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:50.015{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=415E946B433CC29697F6BB84F0AD8392,SHA256=E548CDF53FD114517FA3CC52259B936A60D0F6CB86CBE54AD0DA84FA612B3012,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161648Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.016{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52163-false10.0.1.12-8089- 23542300x8000000000000000161652Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:51.501{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84E6099E709286AC19D0927D28CE8864,SHA256=F760354045ECAD00C9F985E91D3D8265367B26DE93BCCCD87E0E68807ECDB14B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215305Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:51.032{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60DC0B85A966B29624C45CC2CEB10C5E,SHA256=EBEAE2B64036861EAA2CEC46D722E40D65330A3D1FB8F166DBBEF1EFB7CEA96E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161651Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:48.888{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52164-false10.0.1.12-8000- 23542300x8000000000000000161650Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:51.188{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4BC374E3FD0299A54B0846B36D5D67B8,SHA256=E2F102D15F7245C13B7FEF40099A3C8792081C8E036A5F2586124276076407F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161654Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:52.579{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DB872CA650BAAC0AA21B92CEA80ED56,SHA256=4D93678EBC5AA2D7B87138CD8EE6989D017EC4D583A178DE5A66E2918CFF21F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215306Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:52.068{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3534660B5D3D53E233CAC6619FD47B8,SHA256=74F72A46639CF55BF36D86F76BDB065865CD447B91EE6A33289CDF1EA506E180,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000161653Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-SetValue2021-08-13 11:20:52.094{C6197713-26A1-6116-1100-00000000E801}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d79035-0x467c7c39) 23542300x8000000000000000161655Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:53.625{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DDAE1CC2BD82650967D1ABAE3433F66,SHA256=63C6A7689D92C212A5FFCB647A25C9EA106BF93A284661886213FC7D72F23D43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215307Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:53.086{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10E2A5C9A98018EBD094E590A1B06A6F,SHA256=57B306CD7C4046A982E4A5DD543B9F72206F9C967DD8EC544FBC7BBC025EB71C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161656Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:54.672{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17CE42EF20B39B6C72D7B8297DC2E2D8,SHA256=47AE1AD27506241420B65275A51F5BFED31366659D78202C3BE77F702BF53E56,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215315Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:52.224{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64820-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215314Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:54.348{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=7159C34FC1D31216AAB2E6579ED130F6,SHA256=C795C0C0E959A7BCFBCFE05887CAAB8C71ED81A2FE547E94739178DB7C97D3B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215313Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:54.348{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=D2B9CC9A9201859065C0DA36AA399E6F,SHA256=63F3262833438672F171B69D28A27262138E4BA530FC3F71679B91902E876FB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215312Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:54.348{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=513C2AB57801B7DF066795C2E5FA310C,SHA256=08AD7F5CC2845EB8D249AA3B84038BB80255D2D8A406C5ECFD5EEF1B618BBBA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215311Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:54.348{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=E42049C10484327BF93E081839FA0517,SHA256=60FCCA2C142F8AC881EFB74F7D96924F5A10953B6DE57D338F4CB98EACB4842A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215310Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:54.348{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=CBA285BE37362FF984E407CA4C680640,SHA256=779A49575BEB9DBDC1E6D6CF5E8022D43B9C57A7F1F1AA735B8A28643B5BD261,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215309Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:54.348{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=3DAEC356F6AD246112DD6B5C8682C970,SHA256=912C21AED2D506DCF3ACACD950908F00D2099EEBE3A1745E09A326110768C79D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215308Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:54.101{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D936F3F147F3B7BD74CF6A6184B7D428,SHA256=87BE1555C10BEE66ED127F85758D9E9E1D3223954B7E6F9F525530775E829BCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161657Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:55.701{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA86CB1FA9BAB0AD7D102EF5A1DA0AFA,SHA256=DAF02A362FA69B77E069047876F84C2A94BCC7835EB71A1E2D51CD04A57917FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215318Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:55.700{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9EA71F5B8BB91B6B57BCB1F00C2B053B,SHA256=BA180C5B87B25E30D581B48FEFA42E45AF9E73D35877DB7B08BC291FE2904860,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215317Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:55.700{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F885D2424206BD34650255A040E62D5,SHA256=9244424A479FD9A2E49D6D8A6380EC621109C460F20898EA5F8B0830816FC639,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215316Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:55.115{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DBC65C7A87101B428D7A852C9D5C595,SHA256=ABB082D50BA6661385DD5AFBE49515130D06D80A5BCA556E4A4EFD0DFAE6FE5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161658Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:56.922{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17E16C770BFF6802F40A6464491EC402,SHA256=BEAC849C25D1317C103E5894F6F18F990B1C510A41C54D7202569321487A2A98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215319Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:56.130{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACECB3DB5056010E9F69D53001408A58,SHA256=B3E082EB4BFE4347BCBEF931F659B2D5CC2A66BAB0BEEE6A91BB7C3C32654913,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161660Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:57.938{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80644BB376FD66C765C43E5DCB353F6B,SHA256=7976C9DE770EE6879AB2B487D17FD250F17CD97BB8E1F559861C8BC837756BF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215320Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:57.145{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38ED3506F88F8A7DCB02345FA597B29F,SHA256=67E3D64380AAE351D4423B65EFD10FEA740D48D6F271C7D07B81AFB3CB5B509C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161659Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:54.917{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52165-false10.0.1.12-8000- 23542300x8000000000000000215321Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:58.163{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45893D457F9B1A790C621A3850066947,SHA256=1B0CEB84075690B08527819079C5A7B1CB18E5E914635096A21348E757753A5C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215331Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:57.266{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64821-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000215330Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:59.743{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-559B-6116-1107-00000000E701}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215329Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:59.743{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215328Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:59.743{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215327Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:59.743{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215326Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:59.743{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215325Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:59.743{079FE16A-269F-6116-0500-00000000E701}412428C:\Windows\system32\csrss.exe{079FE16A-559B-6116-1107-00000000E701}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215324Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:59.743{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-559B-6116-1107-00000000E701}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215323Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:59.744{079FE16A-559B-6116-1107-00000000E701}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215322Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:20:59.181{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D464AC68ACA6EF535E304A641AD17176,SHA256=D5FA4A539971AE05353FC9E1785320317A834DFF3F27BF521001A31B68992D76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161661Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:20:59.000{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D5E3647741C9C850EDB8A24F45024DF,SHA256=BC392B283AA12C3C752D9E6E966CF13C23A416CBF27C3DA29B4A0CDC1C2F374F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215349Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:00.763{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3CF45199125697D70A7BC6303478520,SHA256=871E77E1AB7CF0FC3BA09EE7B3B5469C3721E5A21420DAFFF9222771A051F016,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215348Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:00.761{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9EA71F5B8BB91B6B57BCB1F00C2B053B,SHA256=BA180C5B87B25E30D581B48FEFA42E45AF9E73D35877DB7B08BC291FE2904860,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215347Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:00.627{079FE16A-559C-6116-1207-00000000E701}63725024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215346Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:00.396{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-559C-6116-1207-00000000E701}6372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215345Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:00.396{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215344Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:00.396{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215343Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:00.396{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215342Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:00.396{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215341Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:00.396{079FE16A-269F-6116-0500-00000000E701}412428C:\Windows\system32\csrss.exe{079FE16A-559C-6116-1207-00000000E701}6372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215340Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:00.396{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-559C-6116-1207-00000000E701}6372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215339Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:00.398{079FE16A-559C-6116-1207-00000000E701}6372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215338Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:00.364{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=8A4B17112F98201790AE297AE1EE9CFE,SHA256=3B85E146B31D67B49E83B5B098D52BBABBBF664D339494D3C66F90247EE49A30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215337Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:00.364{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=C7A9B9433C08FE8F3B9AA3B51EBF6CCD,SHA256=CF0C8053E6D8A490AAF297BD45F6236F7C2DED94876FB7C2FF81F5156274C8E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215336Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:00.364{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=B0A18F0DEB973E5247715F94232B19CA,SHA256=997FE4F451E102977A034310926705209D739CDDDFDEF1AACD23F1C630A565C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215335Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:00.364{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=C3974B716F69E6591B7CB5792C544A52,SHA256=AE05E731AD0AEB78CAB5C40660A76F590BF7A0B619D2792274495BDFF107FD5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215334Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:00.362{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=8CAC2BA9ECB238D117138CACCC23B4D0,SHA256=BFADF2BE9FD7AD820E23EE436F2F6284C5763AB9E14F84517E5838D1FF5EB8F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215333Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:00.360{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=26AF8D61870F44A2628ED1399E41D890,SHA256=3B213B7724AE4E9E85E20698925273475E44676179C13D7695741CEF474883F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215332Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:00.196{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EF6068D1ED981CCF92B35DFEE4CA92C,SHA256=767A68512A284DB64E900068D8023F043FA251D88F5431E96E0D551DADCD8EA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161662Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:00.016{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE411C4754ABA5B376B95C9A3A8DEEBC,SHA256=DC2A78096B64CF3558FFFD27C19173B6D377F05A99DEAD958B2BB37AE2590668,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161663Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:01.016{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ABC945E25C07B371BF0FCB7E2CE7A29,SHA256=85CA2B6910364A2A7CB47D9608A301C794749F39082B1B04DAC1F48A29355E55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215358Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:01.227{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF998CD4348614C414900B84A5978A5B,SHA256=441F48AE36FF119A95F7A1EB49746DAA65EB08CC646C018CC642AE9BD169F089,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215357Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:00.996{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-559C-6116-1307-00000000E701}6044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215356Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:00.996{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215355Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:00.996{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215354Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:00.996{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215353Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:00.996{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215352Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:00.996{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-559C-6116-1307-00000000E701}6044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215351Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:00.996{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-559C-6116-1307-00000000E701}6044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215350Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:00.997{079FE16A-559C-6116-1307-00000000E701}6044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000161665Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:00.779{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52166-false10.0.1.12-8000- 23542300x8000000000000000161664Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:02.047{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A19F0183B3D819487A7B91E0CB89AC5,SHA256=02E3EE2047E3F7D94EEDD6B1212E4D395E91DFBC9D6F94255461DE9DB118AF46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215360Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:02.241{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12964067F73FD94C2279D60C6F664686,SHA256=1886626E8809A4A39F10F32CA8A02045D223586854526E72791D7F02DF15CEC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215359Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:02.010{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3CF45199125697D70A7BC6303478520,SHA256=871E77E1AB7CF0FC3BA09EE7B3B5469C3721E5A21420DAFFF9222771A051F016,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215369Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:03.793{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-559F-6116-1407-00000000E701}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215368Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:03.793{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215367Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:03.793{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215366Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:03.793{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215365Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:03.793{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215364Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:03.793{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-559F-6116-1407-00000000E701}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215363Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:03.793{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-559F-6116-1407-00000000E701}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215362Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:03.794{079FE16A-559F-6116-1407-00000000E701}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215361Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:03.259{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6D79EE79C36E9CC246C07549D3EBFBD,SHA256=896F82D3C8C018A2A10A3388F21A9539F82E75BB94D588CBCD08D1CC46F0C9FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161666Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:03.188{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB3EDDE7A7277FAD2FEEAF45F9215B35,SHA256=0609535DB07F3A3D15CEF1F616EBB6BFE68A4D7819E93258D2C6649FA037310C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215382Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:02.316{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64822-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215381Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:04.725{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=718ED949AC98F2164D5C29584ECA195F,SHA256=76C1A6EDE0A383AA2EB6C03E05B82CF122BDCE979B318B7CDDB026C0B5CC108D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215380Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:04.625{079FE16A-55A0-6116-1507-00000000E701}22961232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215379Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:04.393{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-55A0-6116-1507-00000000E701}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215378Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:04.393{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215377Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:04.393{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215376Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:04.393{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215375Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:04.393{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215374Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:04.393{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-55A0-6116-1507-00000000E701}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215373Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:04.393{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-55A0-6116-1507-00000000E701}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215372Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:04.395{079FE16A-55A0-6116-1507-00000000E701}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215371Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:04.278{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A30FDD91F74788A2C07DE73E5CCAD7A,SHA256=8081BC99FC1D2DDF14D61828812EC2F384D7F0F722BC0DDDAC0C98EC94916E4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161667Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:04.203{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21966B69A2C9FFFC1B5D35C220A244BD,SHA256=131E43F4F9D96884ED28D586219C90442AFB584AF09CE94A64DDA2431F99BD49,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215370Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:04.194{079FE16A-559F-6116-1407-00000000E701}71447064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000161668Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:05.219{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BF3DBB3F19065BFCBA8E9A339ECD534,SHA256=7A0DD37469F9A3BAB4DC8BF1E8DDB307D8BF2DB1ADDC16092C789A7597293F0E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215408Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:05.961{079FE16A-55A1-6116-1707-00000000E701}65726656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000215407Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:02.832{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local64823-true0:0:0:0:0:0:0:1win-dc-414.attackrange.local389ldap 354300x8000000000000000215406Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:02.832{079FE16A-26AF-6116-2900-00000000E701}2980C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local64823-true0:0:0:0:0:0:0:1win-dc-414.attackrange.local389ldap 10341000x8000000000000000215405Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:05.724{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-55A1-6116-1707-00000000E701}6572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215404Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:05.724{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215403Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:05.724{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215402Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:05.724{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215401Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:05.724{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215400Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:05.724{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-55A1-6116-1707-00000000E701}6572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215399Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:05.724{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-55A1-6116-1707-00000000E701}6572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215398Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:05.725{079FE16A-55A1-6116-1707-00000000E701}6572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215397Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:05.393{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=6AA0CD7B0C804F479CAB10B216CC0BE6,SHA256=140AC6CD6D42A130C9BCEC8EF6C9C5BF0B65A6820FA05A8BDB05010781CBFE82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215396Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:05.377{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=1C4F54BB566879E85708CDBFFB4FBFDD,SHA256=583F9225F812183CA4BC573995AF7DCD3D83E11370A96D3B3756AE3E0674A36F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215395Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:05.377{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=2C667E70B49E8E6BCB5FA44AB3C97241,SHA256=6D402DA4A4361D9CEC4DCEC16CF0907F4961C941FE54E37FB5377F6F1D12D60F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215394Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:05.377{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=C355A2502E36E82155E7DFD09EF57178,SHA256=222A767CAF6D7B999633A3172CD8F2B2D5CFF4F42E117B70170B816893715365,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215393Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:05.377{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=939FE3A4B961E1DABFBA20A6EAC1D7C6,SHA256=242B4D2639F70D4CF3B2CAF9AA210A0A31480311D22859E7B26F743D023FF3FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215392Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:05.377{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jo7i7hgz.default-release\datareporting\glean\db\data.safe.binMD5=23B6FD7635560D1399937EDE2E46750F,SHA256=5DCC42E8D7262E665F234F9ACB320EBCF530674FC67255C22EAF87DB11278ADF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215391Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:05.293{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFB3168C904EA66E75D4DAE2CE373B34,SHA256=AA4482912255A22FCBE6CE072FF4EC3ED741CC82ADB69F880C92F8591ECF7F47,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215390Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:05.062{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-55A1-6116-1607-00000000E701}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215389Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:05.060{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215388Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:05.060{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215387Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:05.059{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215386Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:05.059{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215385Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:05.059{079FE16A-269F-6116-0500-00000000E701}412496C:\Windows\system32\csrss.exe{079FE16A-55A1-6116-1607-00000000E701}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215384Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:05.058{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-55A1-6116-1607-00000000E701}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215383Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:05.057{079FE16A-55A1-6116-1607-00000000E701}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161669Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:06.219{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8362731CB4AE2303110D3362830C42DD,SHA256=685F9844126538B8885F09B2DA80AD0DC4973737C24481FE8E3D3FDADE1E53D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215410Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:06.308{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41FFBC155439970593913C317CED83A8,SHA256=3EA6DFDA75CE2201130BBCA93F8EE7815561F47A6BA73464D98CAE4E5F425F0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215409Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:06.077{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD37DF455DD188B6B19ABCC9B904049C,SHA256=6C8C59038A5A07291A0FF57127D9AE37B8BDBC4F946A1352C76CEA201D4884C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161671Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:05.826{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52167-false10.0.1.12-8000- 23542300x8000000000000000161670Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:07.297{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8F3D752733D3BD657164AD539DBAE1C,SHA256=CF5B8721CDE81F74F6D1FF5F88B3B488CD674DB111B6F36279D071F6EFFCE7C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215411Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:07.323{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B594AE92C244BFF946F2D43131E754C1,SHA256=9B95F7D4783A4A7A41910FA5FEB912A1944844018F3169B08FE52F12DA479DF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215412Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:08.338{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6083686D3277284C5DD4971808449538,SHA256=73D2EEA2EF3DC205136FFD4A396E55506D02A4411E9AAB9315E0895D64E2F073,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161672Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:08.313{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=190D0042274254E0FE69615C39EBB6DF,SHA256=C9F2E86DD0065BF994C8A70A0E3DAAE05826B0B12456ABE4939F29357D906317,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215413Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:09.338{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DC9D15DD146BA9D69745567D7B15D34,SHA256=63DF3D39DA7DFAD844A86ADEADBE7113C5F3990B6B239113B8DCE95101C9422A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161673Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:09.328{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6494650CDE0831C9330E536459D6897,SHA256=8B296BC33FCCD6284B56B866EACBCFE2012282EEA5C65A9FF29F182A8F8234F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161674Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:10.328{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D4F94BB61E7D7D7EFC9784D8F6029DE,SHA256=2F52B105405F0BA183F3AE6DB01F32112FBD55F83FB43069D09D46E431D7BF63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215414Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:10.367{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=156CA48F1F2C3FE02B438D02768C08B9,SHA256=C18D6BC14A2E0A0CD1846A866472FAA0F4EB54F1D68CB608096E022AE604D09D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161675Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:11.344{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44BE9C595E39FAC850E7F4738043D0EE,SHA256=BB92BCFA6772CDA4A0EDBB60DDB48201ABF1B2890F400D364F912DD55C09DE99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215416Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:11.385{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FCD6757D4F88952404354153801BCFE,SHA256=7BCAE34062488FC283BC82B946609A33A9CDDBE448BD4A00AE35029DB43AB04D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215415Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:08.177{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64824-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215417Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:12.400{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1528CEF5655E6D9D5F28CDF74B3E0FB5,SHA256=8F1B194DD9DD3CE189762DEAF7ECB688B25020070F73A1C27063AB99EB501AC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161676Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:12.360{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42AB0ADFA3D020AE21ED69ADC6BFFFF0,SHA256=EE18AF905510EBA058A4DB9828A0279209AAC9FEAEB06A7B103C5860DA3299C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215418Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:13.431{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEED14AAB4FDD1217393449EB548F1B5,SHA256=72798375C5C48CB4A7AC45823B42D2E4EA40765F063964AFE16707D824472C70,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161678Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:11.811{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52168-false10.0.1.12-8000- 23542300x8000000000000000161677Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:13.360{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07F39E18549A2A18390E0EB654326454,SHA256=2014A9678F5F0787AFA3219B218AAC238E68BA01DBDBC68F11067274A4C35F44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215419Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:14.463{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA814C3B582BCBCF8C8A713BD308B4A5,SHA256=75B3D0CAB5535E4D4839254B6260AADA2A74D24B75E63962415987C559E8F3A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161679Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:14.360{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0A872F07BA45D9C5618ED5B1EC2B94F,SHA256=B55271A405D792310021D8EE238EE5B61928D718BC0BDFEDEE37B547DD3A5709,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161680Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:15.375{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCF502B06EBD4420CF2B811633F86E74,SHA256=F3E0A84B22469C2E2BDD216AAA5C4682E89452A09010E465A9C53D6E5E1A4EEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215420Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:15.482{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAE2499BDF04B0FA94464A0383A35745,SHA256=4A7B5B9A68D6A3D30942D2EE95F75DC75066C97B50A73C85E05DB9FDF65C230E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215422Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:16.528{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FB64B85591F99D746BC97820556A1D5,SHA256=978600D255114FC10600CB32F327CC3B21AF0B582D8CAB784BE247C7EA41DA88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161681Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:16.391{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5D7E8A9BB6A70EBD22BD8C8468A8D37,SHA256=9E3B2CDDB22867BB51D27E3C3C4A95020D5B6C875833828A57631E0D9C59F5A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215421Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:13.221{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64825-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215423Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:17.530{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16C9CF8FAD18032412C361419E4C7CF6,SHA256=66471758C7AC1C2D9B16C7853283C5DBE2595900A1F07612309E98FBA91003C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161682Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:17.391{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A345C0CE527471BF43E9A21537BC4D95,SHA256=040F82D07A3ECD17D58B7EC1AC252D141A9F324F54A0BBBA65CDF9E042208681,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215424Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:18.545{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7413EC6E8B1BAAD6F90804382B62CEC7,SHA256=D80408B8DB4AD2B62712DF7F255859DDF6F5DDBB03040B64485023DE022418E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161683Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:18.438{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19D08EF0BBA74942DD20CE3135695185,SHA256=1F887F88803BEFB76BA11E5AA5CDB9DBD47FCB5A1191C237CB367E19B7E6A68B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215425Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:19.566{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECA0CCB8574955EA9D1DBC1CD39815FE,SHA256=65D8B90032D0A7569786C4D3864EED93D3FB14D408B82C4F7A94DA776CA59507,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161685Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:17.826{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52169-false10.0.1.12-8000- 23542300x8000000000000000161684Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:19.453{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBB0CA7BB81FBE66BAC517CCE90935BC,SHA256=CD0CFA4313EE5AE36E83BAA72591D7C5787E0061C64A1AFA9BD3B7437AF3384E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215426Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:20.581{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC889FBDD1E11A60D697958D7455F723,SHA256=7393AF5C619533CF196C7025DF788AF9B94872B509CE5905AAF7178D521DA123,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161686Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:20.469{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E98A6E3D7670B9C8B3D1A8DE8A2B2A40,SHA256=CC673C4FE51E732A9F659E33262A3F4486E14F4796CDA062B6C4C841E11B12EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215428Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:21.596{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=364595D7600D6FE0C1664987F6F25C7F,SHA256=EA8C172F7DAC3F575A05717221442616BC03DD6B1E9596FE227C604CAC6A8549,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161687Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:21.485{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15AB97401FF2FC0EA05FCC754928C507,SHA256=D2C51DCD40DED661B7E26257A67A35C3B81CCAEDE5F0A9990C2D55E082915F7C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215427Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:21.512{079FE16A-26A0-6116-0B00-00000000E701}6285044C:\Windows\system32\lsass.exe{079FE16A-269C-6116-0100-00000000E701}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000215432Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:22.626{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC83C4C1C3C73807245BEF126B75259B,SHA256=60296B60D2A307A7EC3B90DB76E513898E728759680306AF09E287315DE2D78B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161688Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:22.485{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9B4ACC3436D53623F7372B239DE0E5A,SHA256=EA403C7F0D17CC35EA183F70A3486C0A5E51E65C6244B61BE6CA83A6DAD080BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215431Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:22.442{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C942457AA3021C4BB4D8E69592B3B2B4,SHA256=D20C1AA4D72A22902A5E11C02B779BD9A903194B670797487559E4B9976A5568,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215430Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:22.442{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=222F4B2696E2C39189F18577635EA89A,SHA256=3B1102F9D3194ACD36A4E8997C988C2C033EB15B661B7AD48654A7C21E1FD6CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215429Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:19.182{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64826-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215439Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:23.662{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67A18855860016BCEE2F28530FE4DC46,SHA256=C2F7BC857B88201C4AEF5A914E376DCB5CF27CDDE41580F2E8DE8545FBD3A17E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161689Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:23.485{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E615685AD3A303C488FCD465B1855BD0,SHA256=C4C8F8FBC1AD668ACED31B305E63353BA47D93A0B803AD048FA471AAC5B7BFEE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215438Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:20.641{079FE16A-269C-6116-0100-00000000E701}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64829-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local445microsoft-ds 354300x8000000000000000215437Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:20.641{079FE16A-269C-6116-0100-00000000E701}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64829-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local445microsoft-ds 354300x8000000000000000215436Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:20.548{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-414.attackrange.local64828-false10.0.1.14win-dc-414.attackrange.local389ldap 354300x8000000000000000215435Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:20.548{079FE16A-26A2-6116-1600-00000000E701}1300C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64828-false10.0.1.14win-dc-414.attackrange.local389ldap 354300x8000000000000000215434Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:20.524{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64827-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local389ldap 354300x8000000000000000215433Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:20.524{079FE16A-26A2-6116-1600-00000000E701}1300C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64827-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local389ldap 23542300x8000000000000000215440Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:24.677{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=151E58FFD8D05C2C2ED53A9B6431880E,SHA256=08C68E01C441012E46E04121D15C5DB94D641FC138F3892ACFC5104C94EBF31C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161690Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:24.485{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5752B1C34A7A91EB522CCA293E417423,SHA256=0ECBB1244C28402C5457D9CA4FDE623373E4B1450E7DFA1CB857E8F36A87422E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215441Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:25.693{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3771C20A3F7F8FF6866BB435F4E353C,SHA256=45E1C982E9817717565AC37104C172B1573946708A05341BD5F2B7EBACBB6CB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161692Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:25.485{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE1A9CB872F7AED74816F59B48D1A650,SHA256=25509348D830AA64CBB37EE5DE01BCA8129F3500DB49F59C3C557BE3DC0FD3BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161691Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:22.889{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52170-false10.0.1.12-8000- 23542300x8000000000000000215442Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:26.730{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E1D5A603A6A08EB8E7D613C29BE9FE3,SHA256=5A003429335842DE8D8CA4E238E24584D28B5530E0998D5C7C5B130C7F11B2AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161693Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:26.485{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3755CF4A8A4EBA7B4CB25E297BCAEE6,SHA256=D5F09BAE3F0E3D8FA57E4284499463FC910F99B2F7A9915C493CB3E409A100A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161694Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:27.516{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06681CB9A68B6F349C6582268D0D5674,SHA256=B7965001F0BB70E2A38FE68A9A7ABEEF735C86ABA8DC538ADBAF998B1A35945B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215447Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:27.765{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6DBC86E294F004A89C9218EAA5E31AC,SHA256=73DFBABE6C1AF17AE8172928B86C9E9C22B394724B3FF16B54E9E05FB19DCB36,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000215446Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:21:27.382{079FE16A-26AF-6116-2500-00000000E701}2836C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\80A749DD-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_80A749DD-0000-0000-0000-100000000000.XML 13241300x8000000000000000215445Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:21:27.382{079FE16A-26AF-6116-2500-00000000E701}2836C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\44A90C05-1D96-49A2-A5E6-242C78701B1A\Config SourceDWORD (0x00000001) 13241300x8000000000000000215444Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:21:27.382{079FE16A-26AF-6116-2500-00000000E701}2836C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\44A90C05-1D96-49A2-A5E6-242C78701B1A\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_44A90C05-1D96-49A2-A5E6-242C78701B1A.XML 354300x8000000000000000215443Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:25.184{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64830-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215450Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:28.782{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D02B2E1087F30451F63F27998AEAF68,SHA256=613FCF369BEF27A9DDAAC16979A798718B6394CD403E5F2DE95A45C2EE859E4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161695Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:28.578{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BC6110983CCF97083C2D1A7AED3B4A6,SHA256=ADB65EBD992A454245809B9BAE7041979FA412553326CB8A504959882FCD5624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215449Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:28.444{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=237F2347FF3039790156D744C889DE90,SHA256=03D480BB32EB6D4C82B1718B43C7FFD9FCBF192DE055940F9BD5C9C50F786065,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215448Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:28.444{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C942457AA3021C4BB4D8E69592B3B2B4,SHA256=D20C1AA4D72A22902A5E11C02B779BD9A903194B670797487559E4B9976A5568,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215457Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:29.812{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9644BF1E73AEE4D0507FAF8D4FCE410,SHA256=AB9D1070C49516B915FC8D117421A8709748C82C1B98A5934A301F4DA917F89C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161696Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:29.594{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22A654C95A5E30895000C5D037126263,SHA256=CD02FBC39F9F6B97F683FAB2D386E15AD32CA6D171154AC82B1F2D82AA57A537,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215456Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:26.524{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64833-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local389ldap 354300x8000000000000000215455Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:26.524{079FE16A-26AF-6116-2500-00000000E701}2836C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64833-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local389ldap 354300x8000000000000000215454Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:26.512{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64832-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local389ldap 354300x8000000000000000215453Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:26.512{079FE16A-26AF-6116-2500-00000000E701}2836C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64832-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local389ldap 354300x8000000000000000215452Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:26.486{079FE16A-26A2-6116-0D00-00000000E701}892C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64831-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local135epmap 354300x8000000000000000215451Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:26.486{079FE16A-26AF-6116-2500-00000000E701}2836C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local64831-truefe80:0:0:0:90b9:f4b6:88e5:d05bwin-dc-414.attackrange.local135epmap 23542300x8000000000000000215458Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:30.826{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F66AEE65E639109A9D6C6F4F22F450F7,SHA256=FD2E2D037F8908B49E5F86E29E92A66179799E716D3DF5ED5335A7831C995EF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161698Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:30.641{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=627AA87D3C864C5B26DFA6DE86F0F293,SHA256=DA9A747C322D727144C4C3933101F99435B8E2083C198BE57C0C4B1FA5374C91,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161697Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:28.748{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52171-false10.0.1.12-8000- 23542300x8000000000000000215459Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:31.842{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2AEC6482EE39FB0DC006B7B9EBFD59F,SHA256=4C8944A013092C8FBBDF51F637B01137CBB29BA0D85101A597EDB2B35AE7DC2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161699Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:31.641{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E10C2C743D8A9845853C9E32CD5F9C80,SHA256=9C6B49FC9669AC2FAAFE524C7B693CC07A430BF79FBC2E2CFA94B9494434196D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215461Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:32.879{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CA3DCCABDD7EE8FBD9239459826F680,SHA256=E999CCF6F07DAAD237A6007A7C6D65F909B98243F3C42761B32E59CE0F194BB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161700Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:32.688{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55A0158CCF697FC56949EFD15840CEBE,SHA256=600904C27C2FAA02E3696B0AA3DD94E26F799B9C022F445EAB4C10F12C7A528B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215460Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:30.380{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64834-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215463Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:33.926{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BCC7D672DF9C0A43334D18EB6453329,SHA256=69393320BC09F16C64B3BFAEA8E3146963614EDD66716C9EB5DA3663F798750F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161701Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:33.735{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B893608346D4D77411A77F5F55422AC9,SHA256=5F6676ABF3828BA681EBF0534DB05141E0BD40F19051BE79B7EAF82514A5E034,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215462Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:33.262{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=237F2347FF3039790156D744C889DE90,SHA256=03D480BB32EB6D4C82B1718B43C7FFD9FCBF192DE055940F9BD5C9C50F786065,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215464Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:34.941{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F15E602D068D01E33E7AD375BEDEDC15,SHA256=BD5C6F2082D2B495B706FAD1BB223FA7C5CB38EBAC0ECB384952611088216FE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161702Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:34.782{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8510A8C5EDF0822D2F36D1EB4B066DF6,SHA256=8A118359EFD2CDDFA696504DCBB00B5CF1A239AB0767A5BF63020C0325AFA676,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215465Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:35.959{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FBB84AE8E295D10EF5AA8126F5BBAA3,SHA256=432372DFD9D8E2A74EE360EB39784A2A9A0D6AA0D88A83A2697CE43EE27839F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161705Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:35.782{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D8D8E0D82A7149D4159C15A1F6DFD5D,SHA256=E81DB14AA72129C4E901679C8890F153B7A6CE541EDC67F1C84308835D37230F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161704Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:35.313{C6197713-26A1-6116-1000-00000000E801}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=5BBCFF773F7C4A7EB94C619BFAEA1354,SHA256=3C9AB0DAC0C3CDAB2B3C1C13F53714E752A1A1D10631730D1398161A7A16A530,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161703Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:33.764{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52172-false10.0.1.12-8000- 23542300x8000000000000000215467Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:36.976{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1C97A9FBAD66307023803FF2653A860,SHA256=8EF715084CC237D652C7AC02F07CA480805C10EEB38A12053F9C640E89B283BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161706Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:36.813{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=880F5680B29D8F19A6B4711B457390B4,SHA256=56E2428CBD39DF3B5FCA2E0B3D59C48664D81170A3B48615411C8FAB8EE18561,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215466Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:36.908{079FE16A-26A2-6116-1100-00000000E701}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=28DC80CECFB5ED05195443295F9F533A,SHA256=7AF43D5CE70C3E228E22696FC99ABF16CCC0371055222BFCEAB86A6F59E808E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161707Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:37.844{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFE4C73129473C30A30356CB0DE3C558,SHA256=3A67CEB50B983825F50E3448E5252A431A8B1D1A23B19E1E4901CC8370C66F6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161708Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:38.860{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EE254FE900C34545B6D50CB99CD98B3,SHA256=408914A836EB5C88023DD029EB72F6F045BCB568A78CE50387652E1B65A2AE80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215470Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:38.837{079FE16A-26AF-6116-2700-00000000E701}2940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=7437DD3B54D1F17730CF8766724DFA6B,SHA256=69C997B67F7E7A6FCA3EA332C25CA817950327E6931C8B821E0C9BBFA52D78A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215469Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:36.277{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64835-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215468Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:38.038{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8DC67ECEA545E697AF2FB5CD7073FE5,SHA256=F37C1AE0686014A07EB712E73134E4A24683EC78FFA46D87233048BE03BD4FA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161709Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:39.891{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CDB8E014AB712D2FB172768354056A0,SHA256=DA398D5DE047BC03F6CFE163E514AB2F96261C536518E56555D1703FED34333A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215471Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:39.075{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66861910A86AF2950FE6CC5E79871DFC,SHA256=75C54B75174B2E8A040E59889F676BC6CDDF5517F22FF66C2868DA3C0DFB43DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161711Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:40.891{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56ED4EC615108799503F8BDBA625699C,SHA256=E265B0B5201980F7CD29CF22284CF835B5A696F45937878362DBF6AC5CF07D40,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215473Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:37.945{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64836-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000215472Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:40.090{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9F6F5EF645E39C7F9A50CBDEB20707C,SHA256=7A7B0E4078FF057BB049003651A49243C6547D3655F5CDA469EC145507876739,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161710Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:38.796{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52173-false10.0.1.12-8000- 23542300x8000000000000000161712Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:41.922{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C2BE23F2CD2E4415B7AE0B38A1EDC74,SHA256=9DEB1F34926B10F98B9E0973A473FA169EA82DE2FC2934A0A7B1F568FA4CAE83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215474Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:41.105{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FBEAC2971F4BBC24BD4E70EB2735A81,SHA256=04EED7212A45AB8C8C66A4B24B78CD7378E22AA6F7644B2C61E92DBE969D8A5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161713Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:42.922{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88B786B9E02559D634A4E08350E03FAC,SHA256=CE90D487F30E9A46D4C06A22796CAEBA5C2D20C210BA11B234DF93BC45B976D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215475Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:42.108{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CE68888BC6323F456845B3119BACDA5,SHA256=FB500CF9099724F8EB7D59AF4413B961A87C128E1127E73FDF1705647EC359C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161714Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:43.922{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10C2FA5F661FC348231381F4053F253D,SHA256=CA8EA5E11FE7291D7FB182840A0DE061241437B7723BA36E12BA6C9AF47032A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215476Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:43.121{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31ACB1899BC16DB24CE9F23D35C2FACC,SHA256=510D2F8EEB6FD8110D7D546242708592818D911055BE0253B310D1EB08354315,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161715Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:44.938{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=588B20102655D804E6EFFA62A31708DA,SHA256=DAB8B7D6F03D83DF366F3A0ED6854725B7677CAD3EDC5A84EE9958F74B56ADC2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215478Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:42.228{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64837-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215477Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:44.190{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1816C6E1A21B5BCD8FEF844F1D69B323,SHA256=2B8BEBA0BF2964788173FCFE72DA99214D2427EED830704DBEE973D1B33F101F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161729Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:45.953{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C67D47986280004B34A9F99961E747D5,SHA256=13D9AD6897F5FCBAEF80D68310F61143B302AA6E0A0E8E7F087C8F8B1F2DAC37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161728Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:45.657{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-55C9-6116-0D06-00000000E801}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161727Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:45.657{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161726Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:45.657{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161725Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:45.657{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161724Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:45.657{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161723Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:45.657{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161722Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:45.657{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161721Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:45.657{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161720Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:45.657{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161719Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:45.657{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161718Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:45.657{C6197713-26A0-6116-0500-00000000E801}412428C:\Windows\system32\csrss.exe{C6197713-55C9-6116-0D06-00000000E801}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161717Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:45.657{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-55C9-6116-0D06-00000000E801}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161716Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:45.657{C6197713-55C9-6116-0D06-00000000E801}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215479Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:45.220{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6F8A52B291169C9B6FFF483447EFC9F,SHA256=C23A2B75B93546E0A7776310EA53C161AA1595158AFC17C7C3D05BB89B4A812E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215480Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:46.235{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82C0C4EB3544B94DC4C103FA602DE7DB,SHA256=EC8DD0702C10173BD8478764310F3C7110B6C661727C39758F42013ADF47AAF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161759Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:46.907{C6197713-55CA-6116-0F06-00000000E801}2564868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000161758Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:46.719{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDFA8AE85A11D4591247FA154B1CFAEE,SHA256=E703379308DD0DD56FA70E07BB1A7EF5B579B0C3A85A90D567CB1F530259C5CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161757Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:46.719{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA826F20E7D76791B206781B1384445D,SHA256=CF4BAB7466B1117CC2EAE146E0310E88FABE828DB8E102209DC8FC242DD810C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161756Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:46.672{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-55CA-6116-0F06-00000000E801}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161755Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:46.672{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161754Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:46.672{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161753Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:46.672{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161752Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:46.672{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161751Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:46.672{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161750Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:46.672{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161749Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:46.672{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161748Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:46.672{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161747Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:46.672{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161746Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:46.672{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-55CA-6116-0F06-00000000E801}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161745Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:46.672{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-55CA-6116-0F06-00000000E801}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161744Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:46.673{C6197713-55CA-6116-0F06-00000000E801}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000161743Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:44.796{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52174-false10.0.1.12-8000- 10341000x8000000000000000161742Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:46.172{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-55CA-6116-0E06-00000000E801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161741Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:46.172{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161740Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:46.172{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161739Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:46.172{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161738Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:46.172{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161737Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:46.172{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161736Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:46.172{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161735Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:46.172{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161734Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:46.172{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161733Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:46.172{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161732Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:46.172{C6197713-26A0-6116-0500-00000000E801}412428C:\Windows\system32\csrss.exe{C6197713-55CA-6116-0E06-00000000E801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161731Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:46.172{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-55CA-6116-0E06-00000000E801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161730Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:46.173{C6197713-55CA-6116-0E06-00000000E801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161760Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:47.000{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=710FAC7CD4EA9CB13B422D64CF55F9BA,SHA256=C8B1CB4B76337C59FA6D445CEE2060D72FA16FC69B9A5714FFBE8D95371BF98B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215481Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:47.253{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69769E413E8F85724EE91B3D30DDCCCB,SHA256=B08EF49ED42003108BDB75523A72E6018FDC90A64868CF789A7B5D232971C237,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215482Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:48.271{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=323AFCED681AE6321F6AC371971E34E7,SHA256=E66680DF29E4D1A837927CC7E6201DC05EC2DC0E9075804FF00AFB68C54E25E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161790Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.985{C6197713-55CC-6116-1106-00000000E801}28363540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161789Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.797{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-55CC-6116-1106-00000000E801}2836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161788Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.797{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161787Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.797{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161786Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.797{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161785Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.797{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161784Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.797{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161783Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.797{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161782Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.797{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161781Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.797{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161780Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.797{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161779Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.797{C6197713-26A0-6116-0500-00000000E801}412528C:\Windows\system32\csrss.exe{C6197713-55CC-6116-1106-00000000E801}2836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161778Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.797{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-55CC-6116-1106-00000000E801}2836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161777Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.798{C6197713-55CC-6116-1106-00000000E801}2836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000161776Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.610{C6197713-55CC-6116-1006-00000000E801}26641192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000161775Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.375{C6197713-26A2-6116-1D00-00000000E801}1892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=7437DD3B54D1F17730CF8766724DFA6B,SHA256=69C997B67F7E7A6FCA3EA332C25CA817950327E6931C8B821E0C9BBFA52D78A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161774Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.282{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-55CC-6116-1006-00000000E801}2664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161773Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.282{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161772Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.282{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161771Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.282{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161770Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.282{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161769Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.282{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161768Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.282{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161767Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.282{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161766Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.282{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161765Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.282{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161764Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.282{C6197713-26A0-6116-0500-00000000E801}412528C:\Windows\system32\csrss.exe{C6197713-55CC-6116-1006-00000000E801}2664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161763Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.282{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-55CC-6116-1006-00000000E801}2664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161762Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.282{C6197713-55CC-6116-1006-00000000E801}2664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161761Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.235{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7225CEBFC6D9E15DEA8B304484C1A911,SHA256=44EC31C58D6F9A7B3F85606FB35729255F65C5A5D45E21769F933CFAB354C33B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215483Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:49.302{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FC53938633FC19DEFF0FDC37677783F,SHA256=699E4DA1557D1F28CC735A1843446396962B631D7FC3BF851D6496D70FE2C6A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000161820Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.813{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-55CD-6116-1306-00000000E801}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161819Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.813{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161818Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.813{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161817Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.813{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161816Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.813{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161815Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.813{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161814Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.813{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161813Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.813{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161812Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.813{C6197713-26A0-6116-0500-00000000E801}412984C:\Windows\system32\csrss.exe{C6197713-55CD-6116-1306-00000000E801}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161811Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.813{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161810Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.813{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161809Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.813{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-55CD-6116-1306-00000000E801}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161808Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.814{C6197713-55CD-6116-1306-00000000E801}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000161807Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.547{C6197713-55CD-6116-1206-00000000E801}31202236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000161806Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:48.033{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52175-false10.0.1.12-8089- 10341000x8000000000000000161805Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.313{C6197713-26A3-6116-2B00-00000000E801}28762896C:\Windows\system32\conhost.exe{C6197713-55CD-6116-1206-00000000E801}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161804Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.313{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161803Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.313{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161802Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.313{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161801Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.313{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161800Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.313{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161799Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.313{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161798Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.313{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161797Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.313{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161796Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.313{C6197713-26A1-6116-0C00-00000000E801}7284000C:\Windows\system32\svchost.exe{C6197713-26A2-6116-1A00-00000000E801}1828C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161795Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.313{C6197713-26A0-6116-0500-00000000E801}412528C:\Windows\system32\csrss.exe{C6197713-55CD-6116-1206-00000000E801}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000161794Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.313{C6197713-26A2-6116-1D00-00000000E801}18923316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C6197713-55CD-6116-1206-00000000E801}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000161793Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.314{C6197713-55CD-6116-1206-00000000E801}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C6197713-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C6197713-26A2-6116-1D00-00000000E801}1892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161792Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.297{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDFA8AE85A11D4591247FA154B1CFAEE,SHA256=E703379308DD0DD56FA70E07BB1A7EF5B579B0C3A85A90D567CB1F530259C5CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161791Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.282{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4810A92D3188A2CF08C3EE3E2F4DBA01,SHA256=2E68D1FB99D10A78B725E28FE0452B6B57A228DB5780B9BDF01F8E869AC9A93D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161822Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:50.453{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50BCD33F9BD755ACDB1CFD3F6FD4EB5C,SHA256=FB08009FDEEF589BBC74799165437758E54A24C518CB448F331C9B45539879F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161821Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:50.453{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67DBE9592DC7A45DA800DBD51BB6FE5F,SHA256=B8D8D2E694CA966ADDA3036F61B7E13240CCD87B9BFD38867120871344C03393,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215485Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:48.272{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64838-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215484Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:50.317{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=247501F3D291E90FA46194667C43971F,SHA256=2AF0A4C1E4B683A17B62619D85363B3C93979A3D27AF22F3DFFB62BA026D0CE6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161824Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:49.811{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52176-false10.0.1.12-8000- 23542300x8000000000000000161823Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:51.516{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D4E34C7E68930AFA02F7E2B26D8293F,SHA256=7CE062C564240E01CEDE30647A9979E541B2E34CAB16ADC7365A9AA3A9389948,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215486Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:51.332{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=300688200D114EA862DEDAB6DE5ADF2D,SHA256=17A4EB292928BBF7BF9CCED9D2831FB6BF3411276469F7B3DEDB0CC3A67953CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161825Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:52.547{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F8462BF30E91892D91F54AFAA2BD088,SHA256=F6BA164B5D166623B8AC83F6B324B1B37D7BD9D815FE31E4A61E19B3BA6E5D6E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000215488Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-SetValue2021-08-13 11:21:52.715{079FE16A-26A2-6116-1000-00000000E701}384C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d79035-0x6a9e8bd8) 23542300x8000000000000000215487Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:52.369{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5454F7F7432D989884AC310ACEDF9B67,SHA256=601FD9852D951C7D7EA90CB31B69AB1C236F4CD76999A58D9EFCFED8FF1129A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161826Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:53.547{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38AA1E080FBFEE1F96B3429647B41594,SHA256=D34D57D81C9CBDB0E2051A087557B0E3DBFCA62D9374E0F07C6D924A95AD003C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215489Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:53.369{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E95F8FC315F07A2A03D07402A526BEC,SHA256=FF6D7E5FDBC863275097B15BE18B7E87EE6D626A96314A481DD080E5E60EA4F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161827Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:54.594{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B76F5422227249B6EC7B7A284B3C31D,SHA256=C83ADA9C2BE65AADE3F09870E45A3594C18D402C6B326072BB4B0FA6913EE4DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215491Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:51.822{079FE16A-26A2-6116-1000-00000000E701}384C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-414.attackrange.local123ntpfalse20.101.57.9-123ntp 23542300x8000000000000000215490Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:54.370{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=307775EF007372F08098BAB5E2917FF9,SHA256=43391C3E816D7E36BF53BF91634C6A0489CEE52CEE0EA389CDEFBC41874080C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161828Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:55.634{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B582DB5CD7939298C11E0F9C37EC995,SHA256=25CC072C6EEC0580048362A5BFB45BDE92AA30CB46FC6AC13EA3541522DBB7F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215493Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:53.409{079FE16A-26AF-6116-2B00-00000000E701}3036C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local59431- 23542300x8000000000000000215492Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:55.400{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08FE864D9EB99DA43DD934E1687D4C6F,SHA256=C34AA15D0E35D1AB3A213C067D45184F6E9B0D9AE05A9C1AE63B70CBA309855A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161829Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:56.724{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4D039DB058F46E7B2AA0A343A088DF1,SHA256=567865570CA34B8B0424EF1C7FC7FD11FB258C4D647D85E17223328821C6598C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215495Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:54.274{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64839-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215494Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:56.415{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86BE0A0CDB9DB72B5002F5CF2540128B,SHA256=D4518BBA19A11F8F78AF17C8BCB84CCE43C1AD55F4EB1C5E4F36B243D0BEA865,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161831Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:54.867{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52177-false10.0.1.12-8000- 23542300x8000000000000000161830Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:57.737{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8E84B7831230BD1978BC5B48E24112D,SHA256=C714F2D5AFA7EA98BCAF6F01EB33DDEBC711444DDF39BC366C9A22F425D180BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215496Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:57.430{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A5DEC2578D6FC1D41D63D19F3474EC6,SHA256=EDAAEAD08F864AC400596EB310B0A1D38F0ACA62C92AE95A7866B653522C11FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161832Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:58.737{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F35CD9019267A974C6C162CE89019572,SHA256=C4103F8AD7AA8999D0E268B05BBBDBD656F46320580E0B4B8F0F6BAC6E1A189C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215497Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:58.466{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2310EABAF2BA66356DA95D4656054A2A,SHA256=4408FF5A0320B17BFA629408156FE7AB8B4651723E64A30497F658B6DC3B0ECA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161833Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:21:59.784{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F2450A48C7351CEEA659F813854CDCE,SHA256=EEF4EDD4C4743B22B39C237B2C5514C5D38C3E007555C968D1BC51866D734F5B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215506Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:59.766{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-55D7-6116-1807-00000000E701}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215505Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:59.766{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215504Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:59.766{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215503Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:59.766{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-55D7-6116-1807-00000000E701}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215502Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:59.766{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215501Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:59.766{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215500Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:59.766{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-55D7-6116-1807-00000000E701}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215499Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:59.768{079FE16A-55D7-6116-1807-00000000E701}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215498Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:21:59.497{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=382324D4FA2DB99C8D12F37D8E0D27C4,SHA256=ECB2B3F7089089D79C7DADC3F2506693BE26660EB60FD9397EB4D0ED483A7563,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161834Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:00.800{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADC197400C2C020FFC29DC0C3853F55B,SHA256=3100EC926D5A30CAC77EE9EA53BF142120AE2A245C0626A03F63E0C89080EC99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215518Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:00.779{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9E7C4EBBAEFC34FE6019CA1FF28C889,SHA256=0E549314903F0F67467BB196A520E4B59816D7551D8FF298B094C2B382B75A65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215517Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:00.778{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4073CC7B21ECA82CC4177C1A1733790C,SHA256=7498E73291387BB7036F58E3902BFAC9DE1C580766B3F3F930CD317E53198E64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215516Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:00.679{079FE16A-55D8-6116-1907-00000000E701}53605892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000215515Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:00.526{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=635B50A1A6645B7A6B95D0AB679540C9,SHA256=DCE1BBA12759CB1CD24991CDDC7D81CFE33265901ADCE64DFE6D6C7549E98CAB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215514Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:00.357{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-55D8-6116-1907-00000000E701}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215513Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:00.357{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215512Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:00.357{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215511Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:00.357{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215510Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:00.357{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215509Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:00.357{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-55D8-6116-1907-00000000E701}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215508Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:00.357{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-55D8-6116-1907-00000000E701}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215507Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:00.359{079FE16A-55D8-6116-1907-00000000E701}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161835Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:01.862{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24BEDDB4D5211482B1E2A798802824CB,SHA256=175F2626ABEC1DA2EFA98494DB1F4FA26DBF3DE648FFBDF4FA07B72F10CF4AE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215527Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:01.558{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B34A0DDFD9608028F816635A8E5DC63,SHA256=A0535458B4871738B67545844B0FDF54C5AC6102BB5E87FC0235D679CCAD22BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215526Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:01.210{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-55D9-6116-1A07-00000000E701}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215525Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:01.210{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215524Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:01.210{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215523Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:01.210{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215522Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:01.210{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215521Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:01.210{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-55D9-6116-1A07-00000000E701}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215520Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:01.210{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-55D9-6116-1A07-00000000E701}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215519Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:01.211{079FE16A-55D9-6116-1A07-00000000E701}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000161837Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:00.908{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52178-false10.0.1.12-8000- 23542300x8000000000000000161836Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:02.925{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB511459AC3B926D0BD9E7CA2B9CCF64,SHA256=77026B1CB2499A32AF1020F24E484CCD1C646214411319C6B5671BB0A50E0E3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215529Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:02.579{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94E10947DE16E65ADB8838A5B129A112,SHA256=AD2E93C4E384DD029B46395234722823FF5813EA7320DFA755049BC2C7DBF3FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215528Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:02.241{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9E7C4EBBAEFC34FE6019CA1FF28C889,SHA256=0E549314903F0F67467BB196A520E4B59816D7551D8FF298B094C2B382B75A65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161838Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:03.956{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FD63DC650D8B30D696A23C4873687F5,SHA256=30A35709CA2044AAFB811104D2F2D4B1A4813498BFDD9910F71980B04996BAAF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215540Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:03.956{079FE16A-55DB-6116-1B07-00000000E701}62406432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215539Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:03.725{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-55DB-6116-1B07-00000000E701}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215538Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:03.725{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215537Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:03.725{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215536Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:03.725{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215535Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:03.725{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215534Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:03.725{079FE16A-269F-6116-0500-00000000E701}412428C:\Windows\system32\csrss.exe{079FE16A-55DB-6116-1B07-00000000E701}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215533Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:03.725{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-55DB-6116-1B07-00000000E701}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215532Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:03.727{079FE16A-55DB-6116-1B07-00000000E701}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215531Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:03.594{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6BDB3B5CA05B09C5ED6178CFCF49BF7,SHA256=D4D24353D3F1A34089DF47A81D6A46F7733AD009DC2357B81C9C506729F89301,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215530Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:00.317{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64840-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215551Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:04.724{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45245E0A0CBF07546705C596D8269E11,SHA256=5464B3EA0D604E0F3CFB35DA459A278F87FE152F62F685FF962732229E33D5DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215550Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:04.676{079FE16A-55DC-6116-1C07-00000000E701}51685332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000215549Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:04.609{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=687092DAFA0D06E7894BB71BC99E6821,SHA256=5CDBCB1D02E51BE1DA3951881E3D030302B059CB89FC291046473039394B9B3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161839Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:04.956{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA84DE938D69BDB4DEA78E281A8E0F86,SHA256=30761484B14B580F75C320B0F12EDB867BA7DC3054371D4C6AEDF4BE599AD024,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215548Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:04.393{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-55DC-6116-1C07-00000000E701}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215547Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:04.393{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215546Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:04.393{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215545Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:04.393{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215544Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:04.393{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215543Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:04.393{079FE16A-269F-6116-0500-00000000E701}412428C:\Windows\system32\csrss.exe{079FE16A-55DC-6116-1C07-00000000E701}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215542Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:04.393{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-55DC-6116-1C07-00000000E701}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215541Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:04.395{079FE16A-55DC-6116-1C07-00000000E701}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000161840Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:05.956{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3050236AE8CB9E8BF637C1A02CFDF7AB,SHA256=A217E69E61EEBA362F9F1CF14AF17BACBD0AF3AE6E5B4B7CDB148638065C2A8C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215571Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:05.723{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-55DD-6116-1E07-00000000E701}1352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215570Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:05.723{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215569Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:05.723{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215568Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:05.723{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215567Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:05.723{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215566Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:05.723{079FE16A-269F-6116-0500-00000000E701}412528C:\Windows\system32\csrss.exe{079FE16A-55DD-6116-1E07-00000000E701}1352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215565Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:05.723{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-55DD-6116-1E07-00000000E701}1352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215564Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:05.725{079FE16A-55DD-6116-1E07-00000000E701}1352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215563Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:05.639{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4085A784DDDC537A3F738445EE573027,SHA256=770C046D27E2E01780BF4575D6035F13CA56DD71F5999FED669358B6DBF9AF9A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215562Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:05.277{079FE16A-55DD-6116-1D07-00000000E701}10447144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000215561Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:02.833{079FE16A-26A0-6116-0B00-00000000E701}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local64841-true0:0:0:0:0:0:0:1win-dc-414.attackrange.local389ldap 354300x8000000000000000215560Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:02.833{079FE16A-26AF-6116-2900-00000000E701}2980C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-414.attackrange.local64841-true0:0:0:0:0:0:0:1win-dc-414.attackrange.local389ldap 10341000x8000000000000000215559Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:05.055{079FE16A-26B0-6116-3300-00000000E701}32603280C:\Windows\system32\conhost.exe{079FE16A-55DD-6116-1D07-00000000E701}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215558Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:05.055{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215557Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:05.055{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215556Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:05.055{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215555Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:05.055{079FE16A-26A1-6116-0C00-00000000E701}8323580C:\Windows\system32\svchost.exe{079FE16A-26AF-6116-2300-00000000E701}2820C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215554Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:05.055{079FE16A-269F-6116-0500-00000000E701}412428C:\Windows\system32\csrss.exe{079FE16A-55DD-6116-1D07-00000000E701}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000215553Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:05.055{079FE16A-26AF-6116-2700-00000000E701}29403992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{079FE16A-55DD-6116-1D07-00000000E701}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000215552Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:05.056{079FE16A-55DD-6116-1D07-00000000E701}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{079FE16A-26A0-6116-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{079FE16A-26AF-6116-2700-00000000E701}2940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000215573Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:06.660{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=232BD6624F125B19F34F37C586989656,SHA256=4CB36A5D5DEBA4D5720E0BDB33C443FE3E0BBA81940BFB07560C7EAA59409C2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215572Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:06.061{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=40FD0D6059E9063CEEBEFD7EC7E0DB3F,SHA256=A35C7D6D5C3945595D4AEA2FFC35AB3CB07B34340C1EEFD1268574CA80CF123F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215574Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:07.676{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6A29C9160A7059109CBBE249E0E1744,SHA256=7A5A4C518AD7E31B9CE7D711B74AF3E517DF943ED02EC11D76886DE0E661F914,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000161842Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-SetValue2021-08-13 11:22:07.518{C6197713-26A1-6116-1100-00000000E801}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d79035-0x73714e1d) 23542300x8000000000000000161841Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:07.003{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8F3ADA806FF65AF525AC2BCAD87DA38,SHA256=AF9CC736B821AD4B0BBD52EE05F2ABD1C118334D5C699A66694F58712235D601,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215581Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:06.620{079FE16A-26A2-6116-1000-00000000E701}384C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse10.0.1.14win-dc-414.attackrange.local123ntpfalse10.0.1.15WIN-HOST-867123ntp 354300x8000000000000000215580Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:06.162{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64842-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215579Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:08.691{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E24BE57F9E90E4DE03C86D2F3C648108,SHA256=37A948B1B4AEA027702595A58234A56D57DA357D5646A40C3F0894BB10055D1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161843Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:08.003{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53730A2A9CC9694F53ADFDA940876C73,SHA256=FF35135602506BC64FCE71734CE327ACC81DF6E6DD7B8AD10D64EB6A4FD0DA66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215578Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:08.338{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1810933698989DC8FF6227DDBD3CFC49,SHA256=D732121C3353A6EAF92127915F407861C5997C10A5463C20F10FAB39483C2E68,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000215577Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:08.123{079FE16A-2851-6116-BF00-00000000E701}46524744C:\Windows\Explorer.EXE{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8036AEE78A8)|UNKNOWN(FFFFD4A36A2A5B68)|UNKNOWN(FFFFD4A36A2A5CE7)|UNKNOWN(FFFFD4A36A2A0371)|UNKNOWN(FFFFD4A36A2A1D3A)|UNKNOWN(FFFFD4A36A29FFF6)|UNKNOWN(FFFFF8036ABFF103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000215576Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:08.123{079FE16A-2851-6116-BF00-00000000E701}46524744C:\Windows\Explorer.EXE{079FE16A-2EB1-6116-B301-00000000E701}4676C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8036AEE78A8)|UNKNOWN(FFFFD4A36A2A5B68)|UNKNOWN(FFFFD4A36A2A5CE7)|UNKNOWN(FFFFD4A36A2A0371)|UNKNOWN(FFFFD4A36A2A1D3A)|UNKNOWN(FFFFD4A36A29FFF6)|UNKNOWN(FFFFF8036ABFF103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000215575Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:08.123{079FE16A-2EB1-6116-B301-00000000E701}4676ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFb8a180.TMPMD5=EDE14DC2DA8B62397B99A720E8551D81,SHA256=8959FFAFDBAF3F9DAF8768C11BE6F82CFC93AA32A873EE989535285EE9E5A694,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215582Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:09.707{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47817FC007D788E86519FE0BAF4925D2,SHA256=3D0FEB247E6B973A08E8BB47F2DBB9D7119329A47059BC2ECF9B7880D6D3505F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161844Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:09.018{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8143ACC568865779574AE7B5F82179BC,SHA256=7EB12DDD4DAF0CCD1D54F7F6DF35282F4AC4BFF6A330CAD1318A97819917C5D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215583Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:10.722{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC2A3C83D5D4FDCC5BD6BC10E68D05A7,SHA256=335E933A5AE1D8F067A48B40D34CBE98641A36F57ECF3368E811D7C79740779A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000161848Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:07.173{C6197713-26A1-6116-1100-00000000E801}976C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-867.attackrange.local123ntpfalse20.101.57.9-123ntp 354300x8000000000000000161847Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:07.173{C6197713-26A1-6116-1100-00000000E801}976C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-867.attackrange.local123ntpfalse10.0.1.14-123ntp 354300x8000000000000000161846Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:06.861{C6197713-26AC-6116-6100-00000000E801}3704C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-867.attackrange.local52179-false10.0.1.12-8000- 23542300x8000000000000000161845Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:10.034{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=041489655E3F0B7A8585A766B7B7D520,SHA256=4434D5C5158C57E36E136A62F94662D1E6FD0934FFF330040919E6FB79B6B342,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215584Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:11.736{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D547DD2D01A6EA5FC47AA60AC6F5535,SHA256=0CBC7D3FAE2F082C336392451F797D78F18C425FBCBFD5EEE8AC22422E93F28B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161849Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:11.050{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAE00792D7738E2D020763691FEF28FA,SHA256=609794518B469243444602C55F926E3E880E721D07482091F077A0B0A55283D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215585Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:12.754{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD2177C19A0BC4DA1408334AAD16DDAE,SHA256=52E0C6427F29594B25BDC7F539DDA6B46C9ACB700CD75AAD38BEA2CE3A462B31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161850Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:12.112{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09DABB11ED146AB852FC2AAAA8F65684,SHA256=63BD7A8F7DB5741384B7223DAB84DAF963BFFA9F08F101DA8DA4E4532B8F43C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215586Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:13.787{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B9CEBA8603F6E79B403A6A3826B4092,SHA256=9CDE1160A1C6FF9C118DCA1A1F1BEE8772529B45A1D31E9A09B17C05436DD2FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161851Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:13.112{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B395E19D6796BA3C3BAAE855CB537E51,SHA256=0C79D9FFFD182985EDDFEBF7BAAAE47EED8D5ACC6D9AABC04BF9758775280ED7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000215588Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:14.804{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8A236264458A27FD6C221FFF101A73E,SHA256=D00F4BB4A9C68D180416B94AE2AE4BCC7E3843E8B1C5BD6542E9C4F0EF6AF11A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161852Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:14.128{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D94A6B8ED4729FF178266771701DA8A,SHA256=0EFF4B716BF466740948B4EA1991C40038781EA3918134D7FF6C506D0EC1D843,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000215587Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:11.196{079FE16A-26BA-6116-6900-00000000E701}3364C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-414.attackrange.local64843-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000215589Microsoft-Windows-Sysmon/Operationalwin-dc-414.attackrange.local-2021-08-13 11:22:15.819{079FE16A-26C1-6116-7200-00000000E701}3852NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F17349B622ADF9740117BB829360A09,SHA256=AAFA6FA9C74A775DAFD7751DFA7E9C4ECB2DA5C41AFDDB94B9B00B50FA446248,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000161854Microsoft-Windows-Sysmon/Operationalwin-host-867.attackrange.local-2021-08-13 11:22:15.128{C6197713-26B3-6116-6B00-00000000E801}3076NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03575C2CAB67B5A613393B6D5AA443BD,SHA256=6E5F4DE868BE4F3964FEF318F13DE68932215C6B43FC5BDA5578877137DB65A5,IMPHASH=00000000000000000000000000000000falsetrue 354